services / Azure / AKS agent pool
An Azure Kubernetes Service (AKS) node pool, the set of VM-based nodes (VMSS or availability-set backed) that join a managed cluster and run its Kubernetes workloads.
Node pools are the compute substrate a cluster's workloads and kubelets run on. An attacker with only this ARM-layer permission (no Kubernetes RBAC) can provision or reconfigure nodes that join the cluster network and host workloads, or remove the compute backing running workloads, so this is rated in line with the parent managed cluster.
Microsoft.ContainerService/managedClusters/agentPools/delete
Deletes an entire node pool, destroying its VMs and any workloads scheduled on them; if the pool is the cluster's only pool or hosts unreplicated workloads this can disrupt or fully take down the cluster.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security