services / Azure / AKS cluster command results
Command results hold the captured stdout/stderr output of a previously issued AKS Run Command (command invoke), which executes kubectl/shell commands inside the cluster under a privileged in-cluster context.
Run-command output routinely contains dumped Kubernetes secrets, kubeconfig material, environment variables, and other sensitive cluster data.
Microsoft.ContainerService/managedClusters/commandResults/read
Retrieving a prior command's stored result returns the output of arbitrary in-cluster commands, enabling exfiltration of secrets, config, and cluster-internal data.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog