services / Azure / Kubernetes Roles (AKS fleet member)
Kubernetes namespaced Roles on a member cluster of an AKS fleet. A Role defines a set of permission rules (verbs over resources) that can be granted to subjects via RoleBindings, forming the cluster's RBAC policy definitions.
Roles define the permission sets that drive cluster authorization; controlling them enables privilege escalation, hence CRITICAL.
Microsoft.ContainerService/fleets/members/rbac.authorization.k8s.io/roles/write
Creating/updating a Role defines or expands the permission rules that all bound subjects inherit, enabling privilege escalation (subject to RBAC escalate guardrails).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security