This detection rule identifies the creation of Kubernetes Roles or ClusterRoles that grant permissions to access node proxy endpoints, such as `nodes/proxy` or `nodes/*`. Such permissions can lead to privilege escalation by allowing direct interaction with the kubelet API, thereby enabling attackers to execute commands on nodes, access logs, and potentially escape to the host's underlying filesystem. The rule is crucial in identifying risky configuration changes, especially in cloud environments using services like Amazon EKS, Azure AKS, and GCP GKE, where these permissions could be exploited by malicious users. Significantly, this technique is reported as a privilege escalation vector by Stratus Red Team. If triggered, it requires investigation into the context and consequences of these role creations, including querying related RoleBindings and historical API operations to assess if these permissions have indeed been exploited.