services / Azure / Kubernetes PodTemplates
Kubernetes PodTemplate objects on an AKS managed cluster, reusable pod specifications (images, env vars, command, mounted secret/volume/service-account references) that controllers can instantiate into running pods.
PodTemplate specs embed the same sensitive configuration and secret/identity references as pod specs and define how workloads are constructed.
Microsoft.ContainerService/managedClusters/podtemplates/write
Creating/updating pod templates injects malicious pod specifications (attacker images, privileged settings, mounted tokens/identities) that controllers later instantiate, manipulating workload definitions and seeding lateral movement when those pods run.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security