This detection rule identifies when RoleBindings or ClusterRoleBindings are created in a Kubernetes cluster with a reference to a ServiceAccount. This event can be indicative of unauthorized privilege delegation which may arise from misconfigurations in Role-Based Access Control (RBAC). RoleBindings and ClusterRoleBindings are critical in controlling access to cluster resources, hence any creation of these bindings should be scrutinized closely, as they may enable attackers to escalate privileges by attaching elevated roles to existing ServiceAccounts. This rule is essential for identifying potential security breaches and ensuring that access controls are enforced properly to prevent privilege escalation and maintain Kubernetes cluster integrity.