services / Azure / Kubernetes pod security policies

PodSecurityPolicies are cluster-scoped Kubernetes admission-control objects that constrain what pods may do (privileged mode, host namespaces, volume types, capabilities). They are a security-enforcement guardrail for the connected (Azure Arc) Kubernetes cluster.

Acts as a defense mechanism: relaxing or removing it enables privileged pod deployment and node/cluster breakout.


Microsoft.​Kubernetes/​connectedClusters/​extensions/​podsecuritypolicies/​write

Creating/updating a PodSecurityPolicy can relax admission controls to permit privileged/hostPath/host-namespace pods, disabling a defense and enabling escalation to privileged workloads and node breakout.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Kubernetes
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog