K
Q

Rotate certificate for kubernetes in a KOPS managed cluster

8/24/2018

I've launched a couple clusters through KOPS and, being new to provisioning k8s clusters, shared the entire kube config file with my team. I had assumed incorrectly that I could easily change username and password to prevent developers that have left the company from authenticating if they had the kube config file.

The sample user section looks something like this:

- name: kubernetes.example.com
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    password: REDACTED
    username: REDACTED

When I change the password, I can still authenticate. But removing the certificate sections I become unauthorized. I've set up aws-iam-authenticator and that is working perfectly, but the certificate authentication still works indicating that anyone with access to the original kube config would still be able to authenticate with the server.

Is there any easy way outside of relaunching a new cluster to rotate these certificates or turn off certificate authentication altogether and just defer to AWS authentication?

-- Zach Kauffman
amazon-web-services
kops
kubernetes

Similar Questions

Istio Envoy Proxy forwarding client certificate info
How to update ngnix configuration of ngnix ingress controller
How to differentiate between equally-named Prometheus metrics from dynamically discovered micro-services in Kubernetes
will data be synced among all instances when use mongodb statefulset
How can I have more than 64K connections per node in Kubernetes?
PVC not rebinding after chart reinstall

0 Answers