services / Azure / Kubernetes certificate signing requests (Arc-connected cluster)
Kubernetes CertificateSigningRequest (CSR) objects on an Azure Arc-connected cluster. A CSR requests a signed X.509 client certificate for a named user/group identity; once approved its status carries the issued, signed certificate.
CSRs are the cluster's credential-issuance mechanism. The signed certificate embedded in an approved CSR is a usable cluster authentication credential, and CSRs can request arbitrary identities up to system:masters (cluster-admin), making this an identity/credential asset.
Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/read
Reading/listing CSRs returns the issued signed client certificate stored in status.certificate (usable identity credential = crypto exfiltration) and enumerates the identities/groups requesting cluster access (policy recon).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security