services / Azure / Kubernetes Roles (AKS)

In-cluster Kubernetes RBAC Role (and ClusterRole) objects that define permission rule sets within an AKS managed cluster; subjects gain these permissions when bound via RoleBindings.

Roles define the permission surface of the cluster's RBAC; crafting/expanding a role and binding it grants control over cluster resources, workloads, and data.


Microsoft.​ContainerService/​managedClusters/​rbac.​authorization.​k8s.​io/​roles/​escalate/​action

The Kubernetes escalate verb explicitly bypasses RBAC privilege-escalation prevention, allowing creation/update of roles with permissions exceeding the caller's own — a deliberate privilege-escalation primitive.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog