AKS RBAC - Rolebinding has no effect

Question

I'm setting up RBAC in my AKS cluster which is integrated with Azure AD following the instructions here. I have created an AD group in my AAD tenant, added a user to it. Then the group is assigned "Cluster User role" in the AKS cluster as per the instructions. Created a Role and Rolebinding as shown below:

Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: restricted-role
rules:
- apiGroups: [""] 
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

RoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: development
subjects:
- kind: Group
  name: 308f50cb-e05a-4340-99d4-xxxxxxxb 
  apiGroup: rbac.authorization.k8s.io
  namespace: development
roleRef:
  kind: Role 
  name: restricted-role 
  apiGroup: rbac.authorization.k8s.io

I then tried login using the new user credentials:

az login --username kubeuser@xxx.onmicrosoft.com --password xxxx

az aks get-credentials --name mycluster --resource-group myrg --overwrite-existing

As per the documentation, I should be only allowed to do kubectl get pods on the development namespace. However, using this new user credentials, I see that I can do kubectl get pods --all-namespaces, kubectl get svc --all-namespaces etc. and view the results, as if the Rolebinding does not have any impact at all. I also have verified by checking that my cluster has

"enableRBAC": true

Can someone please tell me what is wrong with this configuration?

Answer 1

Using the command:

az aks show -g <rg> -n <clusterName> --query aadProfile

you can confirm if the cluster has Azure Active Directory enabled. If so, the kubeconfig file you get from the following command:

az aks get-credentials -g <rg_name> -n <aks_name>

should look like:

user:
  auth-provider:
    config:
      apiserver-id: <appserverid>
      client-id: <clientid>
      environment: AzurePublicCloud
      tenant-id: <tenant>
    name: azure