services / Azure / AKS Kubernetes cluster role bindings
A Kubernetes ClusterRoleBinding grants a ClusterRole's permissions to a subject (user, group, or service account) across the entire cluster. On AKS this is a data-plane RBAC binding controlling cluster-wide authorization.
Cluster role bindings are the core cluster-wide access-control bindings; the asset is cluster-admin-grade identity and access-control data.
Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/clusterrolebindings/write
Creating/updating a ClusterRoleBinding lets an attacker bind cluster-admin (or any ClusterRole) to themselves or a controlled subject, the canonical Kubernetes cluster-wide privilege-escalation, lateral-movement, and persistence primitive.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security