Configuring a role which allows to create a rolebinding/clusterrolebindings and further allows to bind role/clusterroles can give an attacker chance to attach privileged cluster roles to his/her choice of service account.
Make sure Kubernetes creating rolebindings and attaching Kubernetes roles is allowed to cluster-admin service account. To make this change make sure to remove all the RoleBindings or ClusterRoleBindings that are overly permissive.