services / Azure / Kubernetes userextras impersonation (Arc-connected cluster)
The Kubernetes impersonate verb on user-extra attributes for an Azure Arc-connected cluster. It allows the holder to assert arbitrary extra authentication attributes (Impersonate-Extra headers, e.g. scopes/claims) that authorizers and admission webhooks consume in authorization decisions.
Impersonation is an identity-spoofing primitive: holding it on users/groups/userextras effectively grants the union of all identities' permissions, up to cluster-admin (system:masters). This is among the most powerful capabilities in a cluster.
Microsoft.Kubernetes/connectedClusters/authentication.k8s.io/userextras/impersonate/action
Impersonating user-extra attributes lets an attacker forge additional authorization-relevant claims, completing the impersonation chain to assume privileged identities and move laterally.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security