Welcome to Kubernetes RBAC.

Kubernetes RBAC is a feature that allows for granular filtering of user actions within an AKS cluster. It allows you to assign specific permissions to users or user groups. For example, you can allow them to create resources, modify resources, or view logs from running application workloads. These permissions can be scoped to a single namespace or applied to the entire cluster.

To set up Kubernetes RBAC, you first define user permissions as a Role. Roles grant permissions within a namespace, while ClusterRoles are used to grant permissions across the entire cluster or to cluster resources outside the namespace. Roles are then assigned to users with RoleBindings or ClusterRoleBindings.

If your AKS cluster is integrated with Azure AD, a RoleBinding grants permissions defined in the role to Azure AD users to perform actions within the cluster. A ClusterRoleBinding grants that access cluster-wide. It's important to note that Kubernetes roles only grant permissions and do not deny them.

Kubernetes also uses service accounts, which are one of the primary user types in Kubernetes. Service accounts are created and managed by the Kubernetes API and are stored as Kubernetes secrets. They can be used by authorized pods to communicate with the API server.

So the key takeaway here is that Kubernetes RBAC allows for granular filtering of user actions within an AKS cluster by assigning specific permissions to users or user groups, scoping those permissions to a single namespace or the entire cluster, and using roles, rolebindings and clusterrolebindings to assign those permissions. Additionally, AKS uses service accounts to authenticate pods and can also be integrated with Azure AD for user authentication.