services / Azure / Kubernetes user impersonation (Fleet)
The Kubernetes user-impersonation privilege on an AKS Fleet, which allows a caller to issue API requests as any other user identity (the RBAC impersonate verb on users).
Impersonation is a top-tier privilege-escalation primitive: the holder can assume any identity, including cluster-admin, and execute requests with that identity's full RBAC.
Microsoft.ContainerService/fleets/users/impersonate/action
User impersonation lets an attacker act as any user, including cluster-admins, directly escalating privilege and moving laterally to higher-privileged identities.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security