I need to rotate admin.conf for a cluster so old users who used that as their kubeconfig wouldn't be allowed to perform actions anymore. How can i do that?
This is a Community Wiki answer, posted for better visibility, so feel free to edit it and add any additional details you consider important.
As mdaniel wrote in his comment:
the answer to your question is "rekey the entire apiserver CA hierarchy" or wait for
admin.confcert to expire, because thoseadmin.confcredentials are absolute. Next time, use the provided oidc mechanism for user auth.
For kubeadm based kubernetes cluster please also refer to Certificate Management with kubeadm. For manual rotation of CA Certificates, please refer to this section. Pay special attention to point 7:
- Update certificates for user accounts by replacing the content of client-certificate-data and client-key-data respectively.
For information about creating certificates for individual user accounts, see Configure certificates for user accounts.
Additionally, update the certificate-authority-data section in the kubeconfig files, respectively with Base64-encoded old and new certificate authority data