services / Azure / Kubernetes Pods
Kubernetes Pod objects on an AKS managed cluster, the running unit of workload execution; their specs include container images, command/args, environment variables, and references to mounted secrets, configmaps, volumes, and service accounts.
Pod specs frequently embed or reference credentials and sensitive configuration, and pods carry service-account tokens granting in-cluster and cloud identity.
Microsoft.ContainerService/managedClusters/pods/exec/action
Exec grants an interactive shell inside a running container, executing code as that pod's service-account/managed identity to read mounted secrets and data, move laterally to whatever the workload can reach, hijack the compute, and tamper with the workload.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security