services / Azure / Kubernetes certificate signing requests (Arc-connected cluster)

Kubernetes CertificateSigningRequest (CSR) objects on an Azure Arc-connected cluster. A CSR requests a signed X.509 client certificate for a named user/group identity; once approved its status carries the issued, signed certificate.

CSRs are the cluster's credential-issuance mechanism. The signed certificate embedded in an approved CSR is a usable cluster authentication credential, and CSRs can request arbitrary identities up to system:masters (cluster-admin), making this an identity/credential asset.


Microsoft.​Kubernetes/​connectedClusters/​certificates.​k8s.​io/​certificatesigningrequests/​read

Reading/listing CSRs returns the issued signed client certificate stored in status.certificate (usable identity credential = crypto exfiltration) and enumerates the identities/groups requesting cluster access (policy recon).

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Kubernetes
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog