This rule detects the creation or modification of Kubernetes Roles or ClusterRoles that grant high-risk permissions like wildcard access or RBAC escalation verbs (bind, escalate, impersonate). Such changes can enable privilege escalation or unauthorized access within the cluster. The detection leverages audit logs to identify allowed create, update, and patch actions on these sensitive RBAC objects, signaling potential security incidents. By implementing this rule, security teams can proactively respond to unauthorized changes and prevent exploitation of excessive permissions that attackers might leverage for persistence or lateral movement across the Kubernetes environment. Detailed investigation steps outline how to validate changes, assess roles, and enforce remediation to safeguard cluster integrity. False positives may arise from routine administrative changes or legitimate refactoring but require careful analysis to mitigate risks.