services / Azure / Fleet Work
A Kubernetes Fleet Manager Work resource is the envelope that carries the concrete, rendered set of Kubernetes manifests the fleet agent reconciles onto a specific member cluster; it is the unit of actual manifest application.
Because Work objects embed the full manifest payload deployed to member clusters, they can contain inline configuration and secret-bearing objects, and writing them directly controls what runs on member clusters.
Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/write
Writing a Work object injects or replaces the actual Kubernetes manifests applied to a member cluster, letting an attacker deploy arbitrary attacker-controlled workloads, tamper with deployed objects, and run code as in-cluster service-account identities for lateral movement.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security