services / Azure / Kubernetes secrets (fleet)
Kubernetes Secret objects within an AKS fleet namespace, which store credential material such as service-account tokens, TLS keys, passwords, connection strings, and registry credentials consumed by workloads.
Holds live credential/cryptographic material; compromise yields identity takeover and lateral movement across the cluster and connected systems.
Microsoft.ContainerService/fleets/secrets/read
Reading Kubernetes Secrets returns the actual credential material (tokens, keys, connection strings, service-account tokens), enabling direct exfiltration of secrets and reuse of those identities for lateral movement and account takeover.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security