services / Azure / Kubernetes ClusterRoleBindings (AKS Fleet member)
Kubernetes ClusterRoleBinding objects on a member cluster of an AKS Fleet. ClusterRoleBindings grant a ClusterRole's cluster-wide permissions to subjects (users, groups, service accounts).
Cluster-wide RBAC grant objects; writing them is the canonical Kubernetes cluster-admin privilege-escalation primitive, hence CRITICAL asset sensitivity.
Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/clusterrolebindings/write
Creating/updating a ClusterRoleBinding lets an attacker bind cluster-admin (or any ClusterRole) to their own identity or service account, the canonical cluster-wide privilege escalation and a durable persistence foothold.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security