services / Azure / Kubernetes admission initializer configurations (AKS)
Cluster-wide Kubernetes admission control objects (initializerconfigurations) on an AKS managed cluster that intercept API server requests and can gate or initialize objects before they are persisted.
Admission registration objects are the cluster's enforcement points for security policy; controlling them affects every workload cluster-wide. initializerconfigurations is a deprecated/removed alpha admission mechanism.
Microsoft.ContainerService/managedClusters/admissionregistration.k8s.io/initializerconfigurations/write
Creating/updating an initializer configuration lets an attacker intercept and mutate every matching object on admission cluster-wide, injecting privileged changes and disabling/bypassing admission-based security enforcement.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security