Configuring a role with verb impersonate for resources group/user/* can let attacker impersonate legitimate resources.
Make sure use of verb impersonate for any Kubernetes resource is prohibited unless required. To make this change make sure to remove all the RoleBindings or ClusterRoleBindings that are overly permissive.