Configuring a Kubernetes role other than for cluster-admin service which allows to get and patch rolebindings can give an attacker chance to add impersonated users/groups.
Make sure roles which allow to get and patch rolebindings are allowed only to cluster-admin service account. To make this change make sure to remove all the RoleBindings or ClusterRoleBindings that are overly permissive.