This rule identifies the creation or modification (patching) of role bindings in a Google Cloud Platform (GCP) Kubernetes environment. Role bindings are critical for managing access control, allowing users, groups, or service accounts to gain specific roles within the Kubernetes cluster. The rule targets successful events associated with the creation or patching of both role bindings and cluster role bindings in Kubernetes. The detection is enabled using log data from Google Cloud's audit logs. Specifically, it filters for events categorized under 'googlecloud.audit' or 'gcp.audit' that indicate a successful action related to Kubernetes RBAC (Role-Based Access Control) actions, such as creating or patching these role bindings. Importantly, the rule excludes actions performed by the system's addon manager, which is often benign. The rule is part of a continuous monitoring effort to detect potential privilege escalation attacks that could arise from malicious role binding operations.