services / Azure / Kubernetes ConfigMaps (Arc-connected cluster)
Kubernetes ConfigMap objects on an Azure Arc-connected cluster, holding non-secret application and component configuration consumed by workloads and controllers.
Though intended for non-secret config, ConfigMaps in practice frequently contain sensitive values (endpoints, tokens, connection strings, CA bundles) and drive runtime behavior of workloads.
Microsoft.Kubernetes/connectedClusters/configmaps/write
Writing configmaps alters configuration consumed by workloads and controllers, allowing injection of malicious config (e.g. CA bundles, kubelet/admission config) to tamper with operational behavior.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security