This detection rule monitors the creation of Roles or ClusterRoles in Kubernetes that enable write permissions, which include actions such as creating, updating, patching, deleting, or deleting collections of resources. This monitoring is critical for security as write permissions can be needed for functionality yet pose risks if too permissive. By auditing the creation of these roles, we can manage and adjust Role-Based Access Control (RBAC) to maintain security baselines and limit exposure to sensitive resources like secrets or RBAC objects. The severity of an alert is raised when write permissions extend to critical resources that may compromise the security posture if mismanaged. The rule employs events from various cloud providers—Amazon EKS, Azure AKS, and Google GKE—to remain relevant across environments and ensure comprehensive surveillance of role permissions, promoting the implementation of least-privilege access practices in development, staging, and production environments.