services / Azure / Kubernetes Roles (AKS fleet member)
Kubernetes namespaced Roles on a member cluster of an AKS fleet. A Role defines a set of permission rules (verbs over resources) that can be granted to subjects via RoleBindings, forming the cluster's RBAC policy definitions.
Roles define the permission sets that drive cluster authorization; controlling them enables privilege escalation, hence CRITICAL.
Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/delete
Deleting Roles removes RBAC permission definitions, destroying access-control policy and denying authorized principals (who depend on those roles) their operational access.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security