When explaining this to a client, it is helpful to describe it as the difference between who can touch the physical server (the building) versus who can edit the files on the computer inside (the office).
In 2026, the industry standard is to use Azure RBAC for both, but they still operate on two distinct “control planes.”
1. The Two Control Planes
In AKS, access is split into two layers:
- The Azure Control Plane (Azure RBAC): This governs the “outside” of the cluster. It’s about the Kubernetes resource itself as it exists in your Azure portal.
- The Kubernetes Control Plane (Kubernetes RBAC): This governs the “inside” of the cluster. It’s about the pods, namespaces, and deployments running on the nodes.
2. Side-by-Side Comparison
| Feature | Azure RBAC | Kubernetes RBAC |
| Scope | Subscription / Resource Group / AKS Resource | Cluster / Namespace / Specific Pods |
| Managed Via | Azure Portal, CLI, Terraform | kubectl, YAML manifests, Helm |
| Typical Actions | Scaling nodes, Upgrading K8s version, Deleting the cluster. | Creating a Pod, Editing a Service, Viewing logs in a Namespace. |
| Identity Source | Microsoft Entra ID (Azure AD) | Service Accounts (or Entra ID via integration) |
3. The “Hybrid” Option (Azure RBAC for K8s Authorization)
This is the most confusing part for beginners, but the most important for you to propose to your client.
You can now use Azure RBAC to manage internal Kubernetes permissions. Instead of writing complex RoleBinding YAML files for every user, you assign them a built-in Azure role that Kubernetes understands.
Key Built-in Roles (2026 Standards):
- AKS RBAC Viewer: Can see resources in a namespace but can’t see secrets or change anything.
- AKS RBAC Writer: Can deploy apps and edit resources.
- AKS RBAC Admin: Full control over a namespace.
- AKS RBAC Cluster Admin: The “God Mode” for the entire cluster.
4. How to Explain the Workflow to Your Manager
“Think of it like a bank:
- Azure RBAC is the security guard at the front door. He checks your ID (Entra ID) and decides if you’re even allowed in the building. He also decides who can add more teller windows (Scale nodes) or renovate the lobby (Upgrade cluster).
- Kubernetes RBAC is the permissions on the safe. Once you’re inside, it decides if you can open Drawer A (Namespace ‘Dev’) or Drawer B (Namespace ‘Prod’).”
Pro-Tip: Recommendation
If you want to provide “Gold Standard” support, propose disabling local accounts and moving entirely to Azure RBAC for Kubernetes Authorization. > Why? Because when an employee leaves the company and their Entra ID (Azure AD) is deleted, their access to the Kubernetes cluster is instantly revoked. No orphaned RoleBindings to worry about.
Understanding how a developer goes from their laptop to a running container in a secured AKS environment is the best way to prove the value of your setup.
Here is the step-by-step lifecycle of a developer’s request in a Zero-Trust AKS environment.
The Access Lifecycle (Step-by-Step)
1. Authentication (The Gatekeeper)
The developer doesn’t have a “Kubernetes password.” Instead, they run:
Bash
az loginaz aks get-credentials --resource-group rg-prod --name aks-01
At this moment, Azure RBAC checks if their Entra ID account has permission to even download the cluster configuration.
2. Authorization (The Office Door)
The developer tries to deploy a new microservice:
Bash
kubectl apply -f my-app.yaml
The AKS API Server intercepts this. Since we are using Azure RBAC for Kubernetes Authorization, it asks Entra ID: “Does this user have the ‘AKS RBAC Writer’ role for the ‘Production’ namespace?” * If Yes: The request proceeds.
- If No: The request is blocked with a
403 Forbiddenerror.
3. Policy Validation (The Safety Inspector)
Before the pod is actually scheduled, Azure Policy (the Admission Controller) scans the my-app.yaml.
- It checks: “Is this container trying to run as root? Does it have CPU limits?” * If the YAML is “lazy” (insecure), Azure Policy rejects it immediately, even though the developer has “Writer” permissions.
4. Identity & Secrets (The Secure Handshake)
Once the pod starts, it needs to talk to the database.
- The pod presents its Workload Identity (a managed identity) to the Azure Key Vault.
- Key Vault verifies the pod’s identity and hands over the database string via the CSI Driver.
- The password is never stored in a file or an environment variable where a human could see it.
Summary Table for Your Proposal
To wrap this up for your client, you can present this “Success Path” to show them exactly what they are paying for:
| Stage | Security Layer | Purpose |
| Login | Entra ID | Ensures only active employees can connect. |
| Action | Azure RBAC | Limits what a developer can do (e.g., Read vs. Write). |
| Deploy | Azure Policy | Forces best practices (No root, resource limits). |
| Connect | Workload Identity | Eliminates hardcoded passwords in the code. |
Pro-Tip: The “Audit” Hook
Tell your client: “With this setup, we can generate a report at any time showing exactly who accessed the production cluster and what they changed. This makes SOC2 or ISO27001 audits a breeze.”
Infra Cloud Solutions 