services / Azure / Kubernetes certificate signing requests (Arc-connected cluster)
Kubernetes CertificateSigningRequest (CSR) objects on an Azure Arc-connected cluster. A CSR requests a signed X.509 client certificate for a named user/group identity; once approved its status carries the issued, signed certificate.
CSRs are the cluster's credential-issuance mechanism. The signed certificate embedded in an approved CSR is a usable cluster authentication credential, and CSRs can request arbitrary identities up to system:masters (cluster-admin), making this an identity/credential asset.
Microsoft.Kubernetes/connectedClusters/certificates.k8s.io/certificatesigningrequests/write
Creating/updating CSRs (including writing the status to inject a signed cert) lets an attacker mint client certificates for arbitrary identities such as system:masters, granting elevated, persistent, impersonatable cluster credentials.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security