services / Azure / Kubernetes pod security policies
PodSecurityPolicies are cluster-scoped Kubernetes admission-control objects that constrain what pods may do (privileged mode, host namespaces, volume types, capabilities). They are a security-enforcement guardrail for the connected (Azure Arc) Kubernetes cluster.
Acts as a defense mechanism: relaxing or removing it enables privileged pod deployment and node/cluster breakout.
Microsoft.Kubernetes/connectedClusters/extensions/podsecuritypolicies/write
Creating/updating a PodSecurityPolicy can relax admission controls to permit privileged/hostPath/host-namespace pods, disabling a defense and enabling escalation to privileged workloads and node breakout.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security