I am trying to implement Azure RBAC on an existing AKS cluster. I am using Azure AD authentication with Azure RBAC. I understand as per documentation that I do not need create any role/rol bindings in kubernetes, if I use built-in roles. Does this work as expected? If I add built in Azure AKS roles to AAD groups, it will work? It should limit access both in portal and via kubectl.
I tried adding AKS RBAC reader role to group called "Developers". Then I added my user to the same group. I am able to change,view, delete roles/rolebindings via kubectl. This should not be possible as per document: https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac. Do I need to create roles in k8, and role bindings?
It should work properly as you've described.
Are you absolutely sure you don't have wider Aks Rbac at a higher scope (eg. AKS RBAC Cluster admin at the subscription scope)?
Have you inadvertently used a kubernetes local admin account to authenticate with (az aks get-credentials --admin).
You will need to reauthenticate with the cluster after changing RBAC roles.