I've launched a couple clusters through KOPS and, being new to provisioning k8s clusters, shared the entire kube config file with my team. I had assumed incorrectly that I could easily change username and password to prevent developers that have left the company from authenticating if they had the kube config file.
The sample user section looks something like this:
- name: kubernetes.example.com
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
password: REDACTED
username: REDACTED
When I change the password, I can still authenticate. But removing the certificate sections I become unauthorized. I've set up aws-iam-authenticator and that is working perfectly, but the certificate authentication still works indicating that anyone with access to the original kube config would still be able to authenticate with the server.
Is there any easy way outside of relaunching a new cluster to rotate these certificates or turn off certificate authentication altogether and just defer to AWS authentication?