services / Azure / AKS agent pool machine deletion

An Azure Kubernetes Service (AKS) node pool, the set of VM-based nodes (VMSS or availability-set backed) that join a managed cluster and run its Kubernetes workloads.

Node pools are the compute substrate a cluster's workloads and kubelets run on. An attacker with only this ARM-layer permission (no Kubernetes RBAC) can provision or reconfigure nodes that join the cluster network and host workloads, or remove the compute backing running workloads, so this is rated in line with the parent managed cluster.


Microsoft.​ContainerService/​managedClusters/​agentPools/​deleteMachines/​action

Deletes specific VM instances within an agent pool without deleting the whole pool, letting an attacker selectively evict nodes and the workloads/pods scheduled on them, causing targeted service disruption that is harder to notice than deleting the entire pool.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog