services / Azure / Kubernetes ClusterRoleBindings (Fleet)
ClusterRoleBindings are cluster-wide Kubernetes RBAC objects that bind subjects (users, groups, service accounts) to ClusterRoles, granting cluster-scoped permissions across an AKS Fleet's member clusters.
Cluster-wide access-control; writing grants cluster-admin (privilege escalation), making this the most security-sensitive RBAC primitive.
Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/clusterrolebindings/write
Creating/updating a ClusterRoleBinding can bind any subject (including attacker-controlled identities) to cluster-admin, the canonical Kubernetes privilege escalation and a durable persistence mechanism.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security