services / Azure / Kubernetes service accounts (fleet)
Kubernetes ServiceAccount objects within an AKS fleet namespace, which represent in-cluster workload identities that pods authenticate as and that are bound to RBAC roles.
Workload identities are targets for impersonation and credential theft; controlling them enables persistence and privilege escalation across the cluster.
Microsoft.ContainerService/fleets/serviceaccounts/write
Creating/updating ServiceAccounts lets an attacker provision new cluster identities or modify existing ones (including bound credentials/annotations), establishing persistence and attaching more capable identities to controlled workloads for privilege escalation and lateral movement.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security