This rule detects the creation of a RoleBinding or ClusterRoleBinding in Kubernetes that grants the cluster-admin role, which provides unrestricted access to all cluster resources. Such actions can signal significant security risks including privilege escalation and misconfigurations often exploited by attackers. Insights into the creation of these role bindings allow security teams to investigate and mitigate potential threats that could lead to severe impacts on the cluster's integrity and availability. The detection is based on specific audit log events indicating the presence of grant requests to the cluster-admin role. An associated investigation guide lays out steps for confirming legitimacy, assessing authorizations, and detecting unauthorized access, including a detailed response and remediation strategy.