services / Azure / Kubernetes RoleBindings (AKS)

In-cluster Kubernetes RBAC RoleBinding objects that bind subjects (users, groups, service accounts) to Roles/ClusterRoles within an AKS managed cluster, governing who can perform which actions in the cluster.

Cluster RBAC is the primary access-control mechanism for the cluster; binding a subject to a privileged role (e.g. cluster-admin) yields full control of the cluster and its workloads/data.


Microsoft.​ContainerService/​managedClusters/​rbac.​authorization.​k8s.​io/​rolebindings/​delete

Deleting RoleBindings tears down RBAC access-control assignments, destroying policy and revoking legitimate principals' authorized access to the cluster.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog