Audit privilege escalation concerns with DW stack

We want to audit actions users of the DW are able to perform. If users are able to perform operations on the control plane/ k8s api server that normally can not, that's an issue. The outcome of this task should be a document outlining what users can/can't do.