Hello Konstantin Bachem
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
Based on the details you provided, looks like there is a discrepancy between the Entra ID roles and the Kubernetes RBAC roles assigned to the users.
The cluster-admin
ClusterRole grants full access to all resources in all namespaces in the cluster, and it should only be assigned to users who require full administrative access to the cluster.
The Azure Kubernetes Service Cluster Admin
role in Entra ID corresponds to the cluster-admin
ClusterRole in Kubernetes, while the Azure Kubernetes Service Cluster User
role in Entra ID corresponds to a more limited set of permissions in Kubernetes.
It is possible that the clusterUser
user in Kubernetes was mistakenly assigned the cluster-admin
ClusterRole, which would grant them full administrative access to the cluster. I would recommend reviewing the RBAC roles assigned to each user in Kubernetes and ensuring that they correspond to the appropriate Entra ID roles.
If you are still unsure about the RBAC roles assigned to users in your AKS cluster, you can use the kubectl describe clusterrolebinding
command to view the details of the ClusterRoleBindings that have been created.
Hope this helps.