services / Azure / Kubernetes Roles (AKS fleet member)
Kubernetes namespaced Roles on a member cluster of an AKS fleet. A Role defines a set of permission rules (verbs over resources) that can be granted to subjects via RoleBindings, forming the cluster's RBAC policy definitions.
Roles define the permission sets that drive cluster authorization; controlling them enables privilege escalation, hence CRITICAL.
Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/escalate/action
The 'escalate' verb removes the guard preventing creation of roles with more permissions than the actor holds, the canonical Kubernetes privilege-escalation primitive.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security