services / Azure / Kubernetes service account impersonation (Fleet)
The Kubernetes impersonate verb on ServiceAccount identities for an AKS Fleet, allowing the API caller to issue requests as an arbitrary ServiceAccount.
ServiceAccount impersonation inherits the RBAC bound to the impersonated workload identity, enabling lateral movement and privilege escalation up to cluster-admin.
Microsoft.ContainerService/fleets/serviceaccounts/impersonate/action
Impersonating a ServiceAccount lets an attacker act as another in-cluster identity, inheriting its (potentially broader) RBAC permissions, directly enabling lateral movement and privilege escalation.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security