services / Azure / Kubernetes ClusterRoleBindings
A ClusterRoleBinding is a cluster-scoped Kubernetes RBAC object that binds a subject (user, group, or service account) to a ClusterRole, granting that subject the role's permissions across the entire cluster.
ClusterRoleBindings are the core cluster-wide access-control bindings of Kubernetes (the analog of Azure roleAssignments); they can confer cluster-admin, so the asset is cluster-wide identity and access-control data.
Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/clusterrolebindings/write
Creating or updating a ClusterRoleBinding lets an attacker bind cluster-admin (or any ClusterRole) to their own identity or a controlled service account, the headline cluster-wide privilege-escalation and lateral-movement primitive that also establishes durable persistence.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security