services / Azure / Kubernetes Roles (AKS)

In-cluster Kubernetes RBAC Role objects that define permission rule sets within an AKS managed cluster; subjects gain these permissions when bound via RoleBindings.

Roles define the permission surface of the cluster's RBAC; crafting/expanding a role and binding it grants control over cluster resources, workloads, and data.


Microsoft.​ContainerService/​managedClusters/​rbac.​authorization.​k8s.​io/​roles/​write

Creating/updating a Role lets an attacker define or broaden a permission set that all bound subjects inherit, enabling privilege escalation (subject to Kubernetes escalate-verb checks but still alters RBAC policy).

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ContainerService
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog