services / Azure / AKS Kubernetes cluster role bindings
A Kubernetes ClusterRoleBinding grants a ClusterRole's permissions to a subject (user, group, or service account) across the entire cluster. On AKS this is a data-plane RBAC binding controlling cluster-wide authorization.
Cluster role bindings are the core cluster-wide access-control bindings; the asset is cluster-admin-grade identity and access-control data.
Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/delete
Deleting ClusterRoleBindings removes cluster-wide RBAC grants, destroying access-control policy and revoking legitimate operators' (including responders') cluster access while attacker access can persist.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security