This detection rule identifies the creation of Kubernetes Roles or ClusterRoles that are granted wildcard (*) permissions, which pose a substantial security risk. Wildcard permissions enable broad access across resources and operations, undermining the principle of least privilege essential in secure deployments. The rule specifically monitors events related to the creation of roles that possess these excessive permissions, as attackers often leverage RBAC (Role-Based Access Control) vulnerabilities to create such roles to maximize their control over the Kubernetes cluster. If a role with wildcard permissions has been created, the detection mechanism suggests a thorough review of the role to verify if the creation was authorized and to mitigate potential unauthorized access. This rule is critical in maintaining the integrity and security of Kubernetes environments by preventing privilege escalation attacks.