This rule detects write operations initiated by Kubernetes service accounts against Role-Based Access Control (RBAC) resources, including Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings. Generally, service accounts do not have permission to manage RBAC settings, making any such actions suspicious and indicative of potential issues such as token theft, misconfigured permissions, or unauthorized privilege escalation attempts. When a compromised service account is exploited, it can alter RBAC settings to grant elevated privileges within Kubernetes clusters, notably cluster-admin access, offering persistent control to an attacker. The detection logic uses audit logs from the Kubernetes API to identify allowed write actions (create, delete, patch, or update) directed at RBAC resources by service accounts, except for specific accounts associated with automated system processes. Investigation steps recommend retrieving full audit logs, tracing the originating workload, and correlating authentication patterns to ensure no unauthorized access has occurred. False positives may arise from legitimate automation processes, but the rule provides detailed remediation steps, including immediate containment actions like role binding removals and credential rotations for compromised accounts. This rule plays a crucial role in maintaining cluster security against privilege escalation and persistent threats.