drop k8s audit log · detect role/clusterrole escalation patterns
flags cluster-admin bindings · escalate/bind permissions · pods/exec as root · privileged pod specs
heuristic screener · audit schema varies by k8s version and distro — not definitive proof