services / Azure / AKS agent pool

An Azure Kubernetes Service (AKS) node pool, the set of VM-based nodes (VMSS or availability-set backed) that join a managed cluster and run its Kubernetes workloads.

Node pools are the compute substrate a cluster's workloads and kubelets run on. An attacker with only this ARM-layer permission (no Kubernetes RBAC) can provision or reconfigure nodes that join the cluster network and host workloads, or remove the compute backing running workloads, so this is rated in line with the parent managed cluster.


Microsoft.​ContainerService/​managedClusters/​agentPools/​write

Creating or updating an agent pool lets an attacker provision new VM nodes (with custom node configuration, extensions, or a custom node image) that join the cluster network, or alter an existing pool's configuration — a path to running attacker-controlled code on a node with network access to other pods, the node's kubelet credentials, and any secrets/volumes mounted on it.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog