services / Azure / Kubernetes roles (AKS Fleet)

Kubernetes Role objects in an AKS Fleet cluster, defining namespaced RBAC permission rules (verbs on resources) that grant authorization when bound to subjects via RoleBindings.

Roles are namespaced access-control definitions; combined with bind/escalate they enable privilege escalation, so the RBAC asset class is treated as CRITICAL.


Microsoft.​ContainerService/​fleets/​rbac.​authorization.​k8s.​io/​roles/​escalate/​action

The escalate verb explicitly bypasses Kubernetes privilege-escalation prevention, letting the holder grant a Role permissions beyond their own within the namespace.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog