Azure-devops-docs: Azure DevOps created a service account with cluster-admin role for a RBAC-enabled cluster

1) Created a new AKS cluster in the Azure portal
2) Enabled RBAC
3) Selected the new AKS cluster and namespace in the Azure DevOps "Add Kubernetes Resource" inside an Environment
4) Used kubectl to examine what Azure DevOps did
5) Verified Azure DevOps created a service account with cluster-admin role for a RBAC-enabled cluster

New service account:

kubectl get serviceaccount --namespace test
NAME              SECRETS   AGE
azdev-sa-403636   1         37m

New RoleBinding:

kubectl get rolebinding --namespace test -o json
            "roleRef": {
                "apiGroup": "rbac.authorization.k8s.io",
                "kind": "ClusterRole",
                "name": "cluster-admin"
            },
            "subjects": [
                {
                    "kind": "ServiceAccount",
                    "name": "azdev-sa-403636",
                    "namespace": "test"
                }

According to the documentation, the service account should be least-privileged:

For an RBAC enabled cluster, RoleBinding is created as well to limit the scope of the created service account to the chosen namespace. For an RBAC disabled cluster, the ServiceAccount created has cluster-wide privileges (across namespaces).

Either the documentation needs to be updated to say _For an RBAC enabled cluster, the ServiceAccount created has a cluster-admin role_ or the DevOps bug needs to be corrected.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 7730ae4d-4101-9c83-1823-4ff43ff161ce
• Version Independent ID: 20a7e263-4819-783e-c984-c4f3b459e22f
• Content: Environment - Kubernetes resource - Azure Pipelines
• Content Source: docs/pipelines/process/environments-kubernetes.md
• Product: devops
• Technology: devops-cicd-process
• GitHub Login: @juliakm
• Microsoft Alias: jukullam