I have a Kubernetes v1.14 on-prem cluster deployed using kubeadm and my kubernetes-admin user login has been compromised.

I want to revoke its certificate but the Kubernetes API server does not have a mechanism to lookup a CRL file. I already created another admin user using a new ClusterRoleBinding. The only solution I see is to de-authorize the user by removing it's associated ClusterRoleBinding: cluster-admin.

However, this ClusterRoleBinding's Subject is the "system:masters" group. Even though I couldn't find any other system user that belongs to the "system:masters" group I'm afraid it will break some things if I delete it. I don't have any experience with this kind of situation.

I googled a lot but I couldn't find relevant information on this topic for open-source Kubernetes.

Is it safe to delete the "cluster-admin" ClusterRoleBinding?

% openssl x509 -noout  -subject -in  <(kubectl config view --raw  -o jsonpath='{.users[?(@.name == "kubernetes-admin")].user.client-certificate-data}'  | base64 -d)
subject= /O=system:masters/CN=kubernetes-admin
% 

% kubectl describe clusterrolebindings.rbac.authorization.k8s.io cluster-admin 
Name:         cluster-admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind   Name            Namespace
  ----   ----            ---------
  Group  system:masters  
%