services / Azure / Kubernetes Pods
Kubernetes Pod objects on an AKS managed cluster, the running unit of workload execution; their specs include container images, command/args, environment variables, and references to mounted secrets, configmaps, volumes, and service accounts.
Pod specs frequently embed or reference credentials and sensitive configuration, and pods carry service-account tokens granting in-cluster and cloud identity.
Microsoft.ContainerService/managedClusters/pods/write
Creating/updating pods lets an attacker run arbitrary containers (cryptomining/workloads), mount any secret, service-account token, host path, or the node managed identity to assume cluster/cloud identities and move laterally, and alter the cluster's running workload state.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security