services / Azure / Kubernetes ServiceAccounts (AKS data plane)
Kubernetes ServiceAccount objects within an AKS managed cluster representing in-cluster identities that workloads authenticate as and that are bound to RBAC roles.
ServiceAccounts are workload identities; the ability to impersonate them lets a caller act as that identity with its bound RBAC permissions, which can lead to full cluster compromise.
Microsoft.ContainerService/managedClusters/serviceaccounts/impersonate/action
Impersonating a ServiceAccount lets an attacker act directly as that identity with its bound RBAC permissions, a direct lateral-movement and privilege-escalation primitive (potentially to cluster-admin-bound accounts).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security