services / Azure / Kubernetes Roles
Kubernetes Roles in an AKS-managed aiManagers cluster, which define sets of RBAC permission rules (verbs over resources) that are granted to subjects via bindings.
Role definitions are core cluster access-control policy; manipulating them governs the permission surface up to cluster-admin.
Microsoft.ContainerService/aiManagers/rbac.authorization.k8s.io/roles/write
Creating/updating a Role lets an attacker define or expand a permission set that bound subjects inherit, escalating privilege within the cluster.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog