services / Azure / Kubernetes service accounts (fleet)
Kubernetes ServiceAccount objects within an AKS fleet namespace, which represent in-cluster workload identities that pods authenticate as and that are bound to RBAC roles.
Workload identities are targets for impersonation and credential theft; controlling them enables persistence and privilege escalation across the cluster.
Microsoft.ContainerService/fleets/serviceaccounts/delete
Deleting ServiceAccounts removes cluster workload identities, destroying accounts and breaking authentication for the pods that depend on them, disrupting those services.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security