services / Azure / Kubernetes mutating webhook configurations (admission control)
Mutating webhook configurations are in-cluster admissionregistration.k8s.io objects that register webhooks intercepting and rewriting every matching Kubernetes API object on create/update. They are a core admission-control and security-policy-enforcement mechanism for the cluster.
A mutating webhook can rewrite any admitted object cluster-wide (inject sidecars/credentials, alter privileges), so write over these objects is effectively a cluster-admin-equivalent primitive; this is a data-plane (in-cluster) resource of an Arc-connected production cluster.
Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/delete
Deleting mutating webhook configurations removes cluster-wide admission-control mutation/enforcement, disabling defensive policy-enforcement webhooks (e.g. policy/security mutators) so non-compliant or malicious objects pass unmodified.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security