There are multiple ways of doing this, in case your machine gets compromised and you want to disable access to the cluster. Note that no solution will prevent a small window where a hacker can gain access and do some damage.

• OIDC authentication (OpenID Connect). Mitigation -> Disable the OIDC user on the OIDC provider and enable a lifetime for the session in the OIDC provider.

• Webhook authentication. Mitigation -> disable client certs on the webhook service and the token lifetime is controlled by --authentication-token-webhook-cache-ttl which defaults to 2 minutes. In this case, the webhook service manages the tokens on your K8s cluster.

• Authenticating Proxy. Mitigation -> disable users on the proxy.

• Client Go credential plugins. Mitigation -> Disable user in the provider where the plugin is authenticating with. For example, the AWS IAM Authenticator uses this, so you would delete or disable the IAM user on AWS.