services / Azure / Kubernetes mutating webhook configurations (admission control)
Mutating webhook configurations are in-cluster admissionregistration.k8s.io objects that register webhooks intercepting and rewriting every matching Kubernetes API object on create/update. They are a core admission-control and security-policy-enforcement mechanism for the cluster.
A mutating webhook can rewrite any admitted object cluster-wide (inject sidecars/credentials, alter privileges), so write over these objects is effectively a cluster-admin-equivalent primitive; this is a data-plane (in-cluster) resource of an Arc-connected production cluster.
Microsoft.Kubernetes/connectedClusters/admissionregistration.k8s.io/mutatingwebhookconfigurations/write
Creating/updating a mutating webhook lets an attacker intercept and rewrite every admitted Kubernetes object (e.g. inject privileged sidecars, mount secrets, alter RBAC-bound pods) and redirect admission traffic, a cluster-wide privilege-escalation, tampering, and defense-bypass primitive.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security