More here: https://learn.microsoft.com/azure/aks/security-bulletins/overview#aks-2026-0003-azure-monitor-container-insights-add-on-removes-use-of-nodesproxy-permission
A public disclosure described how the Kubernetes nodes/proxy GET permission can be abused to execute commands in any pod on a reachable node via the Kubelet API (port 10250). The Kubernetes Security Team determined this is working as intended; the long-term mitigation is KEP-2862, which is GA in Kubernetes v1.33.
The Azure Monitor Container Insights add-on (ama-logs) uses nodes/proxy on AKS causing security risk.
More here: https://learn.microsoft.com/azure/aks/security-bulletins/overview#aks-2026-0003-azure-monitor-container-insights-add-on-removes-use-of-nodesproxy-permission
A public disclosure described how the Kubernetes
nodes/proxyGETpermission can be abused to execute commands in any pod on a reachable node via the Kubelet API (port 10250). The Kubernetes Security Team determined this is working as intended; the long-term mitigation is KEP-2862, which is GA in Kubernetes v1.33.The Azure Monitor Container Insights add-on (
ama-logs) usesnodes/proxyon AKS causing security risk.