services / Azure / Kubernetes cluster roles (Arc connected cluster)
ClusterRole objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define cluster-wide sets of permissions over the Kubernetes API that can be granted to subjects via (cluster)role bindings.
Cluster-scoped RBAC governs access to all namespaces and cluster resources; a ClusterRole can confer cluster-admin, making this the access-control backbone of the entire cluster.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/clusterroles/write
Creating or updating a ClusterRole lets an attacker define or expand cluster-wide permission sets (up to cluster-admin) that can be bound to a controlled principal.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security