services / Azure / Kubernetes ClusterRoleBindings (AKS Fleet member)
Kubernetes ClusterRoleBinding objects on a member cluster of an AKS Fleet. ClusterRoleBindings grant a ClusterRole's cluster-wide permissions to subjects (users, groups, service accounts).
Cluster-wide RBAC grant objects; writing them is the canonical Kubernetes cluster-admin privilege-escalation primitive, hence CRITICAL asset sensitivity.
Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterrolebindings/delete
Deleting ClusterRoleBindings removes cluster-wide RBAC grants, tearing down access-control policy and revoking legitimate admins'/operators' access (denial-of-access).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security