services / Azure / Kubernetes Roles (AKS)
In-cluster Kubernetes RBAC Role (and ClusterRole) objects that define permission rule sets within an AKS managed cluster; subjects gain these permissions when bound via RoleBindings.
Roles define the permission surface of the cluster's RBAC; crafting/expanding a role and binding it grants control over cluster resources, workloads, and data.
Microsoft.ContainerService/managedClusters/rbac.authorization.k8s.io/roles/escalate/action
The Kubernetes escalate verb explicitly bypasses RBAC privilege-escalation prevention, allowing creation/update of roles with permissions exceeding the caller's own — a deliberate privilege-escalation primitive.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security