Revoke access to kubernetes cluster on google container engine

9/12/2016

I'm hosting on google container engine. Recently one of my team mates left the company and I want to revoke his access rights to the cluster. I removed his account from the compute engine project already, yet he can still access the cluster.

He got access through gcloud container clusters get-credentials <cluster>. The entries I see in my ~/.kube/config look as if I get the same certificate as all of my colleagues.

What do I need to do to remove him from the cluster? To me it seems as if there is zero documentation on this topic.

Additional Note: The cluster is still on kubernetes 1.2.5

-- tback
google-kubernetes-engine
kubernetes
security

1 Answer

9/12/2016

When using the per-cluster certificate, there is currently no way to revoke/rotate certificates (see Issue #4672). The only way to completely revoke access is to delete and recreate the cluster.

If you instead use Google OAuth2 credentials to access your cluster (the default w/ a 1.3 cluster and an up-to-date client), permissions are tied to your project's IAM configuration, and can be revoked/changed at any time.

Retrieving the cluster certificate requires the caller to have container.clusters.getCredentials permission, which is contained by the Container Engine Admin and Editor roles. As long as the roles that you give to your team members do not contain that permission (e.g. Container Engine Developer), they will not be able to retrieve cluster certificates.

Here are the GKE IAM docs for more info on GKE permissions and roles.

-- CJ Cullen
Source: StackOverflow