services / Azure / Kubernetes roles (Arc connected cluster)
Role objects in the Kubernetes RBAC API of an Azure Arc connected cluster. They define namespace-scoped sets of permissions over the Kubernetes API that can be granted to subjects via role bindings.
Namespaced RBAC governs access within a namespace, which may host sensitive production workloads and secrets; roles are part of the cluster's access-control fabric.
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/escalate/action
The escalate verb bypasses Kubernetes privilege-escalation prevention, letting a principal grant a namespaced Role permissions beyond those it currently holds.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security