DocsICP FilingConsole
官方文档
首页

Delete kubeconfig

更新时间:
复制 MD 格式
产品详情
我的收藏

Container Service for Kubernetes (ACK) issues kubeconfig credentials to Alibaba Cloud accounts, RAM users, and RAM roles to connect to clusters. The kubeconfig management feature lets you view the status of all issued kubeconfig files and delete those that pose security risks.

Kubeconfig

A kubeconfig file configures access credentials for a cluster on a client. You can obtain a kubeconfig file from the ACK console or obtain a cluster kubeconfig via API. Manage your kubeconfig credentials properly to prevent security risks from credential leaks.

Important

A kubeconfig file has a specific validity period and becomes invalid upon expiration. To find the expiration date of a kubeconfig file, see How do I find the expiration date of the certificate used by a kubeconfig file?

Kubeconfig status

A kubeconfig file in Container Service for Kubernetes (ACK) can have one of four statuses.

Status

Description

Not Issued

A kubeconfig file for the cluster has never been issued to the current RAM user or RAM role.

Effective

The kubeconfig file for the current RAM user or RAM role exists and has not expired.

Residual RBAC permissions exist for the current user or role, even if the user has deleted their local copy of the kubeconfig file.

Expired

The kubeconfig file for the current RAM user or RAM role exists but has expired.

Deleted

A kubeconfig file for the cluster was issued to the current RAM user or RAM role but has been deleted.

Deleting a kubeconfig file removes the kubeconfig information for the cluster and the RBAC binding of the RAM user or RAM role.

Before you delete an Effective kubeconfig file, carefully verify if the credential is legitimately issued and still in use. For example, for employees who have left the company, delete their kubeconfig files individually to avoid affecting active credentials. We also recommend that you use ack-ram-authenticator to enable webhook authentication for the API server of an ACK managed cluster. This provides a more flexible and controllable RBAC authorization experience and enables automatic revocation of data-plane kubeconfig credentials when a RAM user or RAM role is deleted.

Important

  • Before you delete a kubeconfig file, confirm that it is not used by any applications to prevent service disruptions.

  • You are responsible for managing your kubeconfig files, including promptly deleting any that pose a security risk.

Kubeconfig management

Management scope

Use cases

Required permissions

Example

By cluster

Manage the kubeconfig files of all users for a target cluster.

Example: Manage kubeconfig files by cluster

By RAM user or RAM role

Manage the kubeconfig files owned by a specific user.

Example: Manage kubeconfig files by RAM user or RAM role

By deleted RAM user or RAM role

A RAM user or RAM role has been deleted from your account, but their kubeconfig file is still effective.

Example: Delete the kubeconfig files of deleted users

Example: Manage kubeconfig by cluster

  1. Log on to the ACK console. In the left navigation pane, click Authorizations.

  2. Click the KubeConfig File Management tab. Find the target cluster and click KubeConfig File Management in the Actions column. This page lists all users with a kubeconfig file for this cluster or with residual RBAC permissions from a previously deleted file.

    If a RAM user or RAM role is deleted from your account but their kubeconfig file is still effective, the console displays a notification.

    • User information: username, user ID, account type, and account status.

    • kubeconfig certificate information: kubeconfig expiration date, kubeconfig status, and more.

  3. After confirming the user's kubeconfig file is not used by any business applications, find the user and click Delete KubeConfig File in the Actions column.

    Important

    • Before you delete a kubeconfig file, confirm that it is not used by any applications to prevent service disruptions.

    • You are responsible for managing your kubeconfig files, including promptly deleting any that pose a security risk.

    When you click Delete KubeConfig File, a check is performed for access records of the kubeconfig file in the cluster API server audit logs within the last seven days. This check requires you to enable cluster auditing for the cluster.

Example: Manage kubeconfig by user or role

  1. Log on to the ACK console. In the left navigation pane, click Authorizations.

  2. On the Authorizations page, click the RAM Users tab. Find the target user and click KubeConfig Management to go to the user's KubeConfig Management page.

    You can view the issuance status of the user's kubeconfig files for each cluster.

    • Cluster information: cluster name and ID.

    • kubeconfig certificate information: kubeconfig expiration date and status, and 7-day log check (certificate access records).

  3. To delete kubeconfig files for one or more clusters, first confirm that they are not used by any business applications.

    • Delete a single file: Find the target cluster and click Delete KubeConfig File in the Actions column.

    • Delete files in a batch: Select multiple clusters in the Cluster Name column, and then click Delete KubeConfig File in the lower-left corner of the page.

      Important

      • Before you delete a kubeconfig file, confirm that it is not used by any applications to prevent service disruptions.

      • You are responsible for managing your kubeconfig files, including promptly deleting any that pose a security risk.

      When you click Delete KubeConfig File, a check is performed for access records of the kubeconfig file in the cluster API server audit logs within the last seven days. This check requires you to enable cluster auditing for the cluster.

Example: Delete kubeconfig of deleted users

Console

  1. Log on to the ACK console. In the left navigation pane, click Authorizations.

  2. On the Authorizations page, if residual kubeconfig files for deleted users exist in your account, a notification message is displayed.

  3. In the red notification box, click manage the kubeconfig files associated with invalid accounts to open the Delete KubeConfig Files of Deleted RAM Users/Roles page.

    This page lists the deleted RAM users or RAM roles whose kubeconfig files and RBAC permissions are still effective.

  4. After confirming the user's kubeconfig file is not used by any business applications, click Delete KubeConfig File on the right of the deleted user.

    Important

    • Before you delete a kubeconfig file, confirm that it is not used by any applications to prevent service disruptions.

    • You are responsible for managing your kubeconfig files, including promptly deleting any that pose a security risk.

    When you click Delete KubeConfig File, a check is performed for access records of the kubeconfig file in the cluster API server audit logs within the last seven days. This check requires you to enable cluster auditing for the cluster.

ack-ram-tool

For more information about how to use the ack-ram-tool to delete a kubeconfig file, see Use ack-ram-tool to clear permissions of a specified user in a cluster.

FAQ

What is the 7-day access check?

The 7-day access check determines if the kubeconfig file was used to access the cluster in the last seven days. This check is for reference only; you are still responsible for confirming that the file is not in use by any business applications.

This feature requires that cluster auditing is enabled for the cluster.

Interpret the 7-day access check results

Check result

Type

Meaning

Successful

No access record found

The user may not have used the kubeconfig file to access the cluster API server in the last seven days.

Access records found

The user has used the kubeconfig file to access the cluster API server in the last seven days.

Failed

Failed to query access records

The check fails because cluster auditing is not enabled.

Other errors occurred, such as a cluster connection failure or network issues.

When can I not delete a kubeconfig?

  • The cluster is in an abnormal state: You cannot delete a kubeconfig file for a cluster that is in the Deletion Failed, Deleting, Deleted, or Failed state.

  • The kubeconfig file or certificate is in an abnormal state: You cannot delete a kubeconfig file that is in the Not Issued, Deleted, or Unknown state.

  • You cannot delete your own kubeconfig file.

  • You cannot delete the kubeconfig file of an Alibaba Cloud account.

How to restore a deleted or previous kubeconfig?

If you need to restore a kubeconfig file that was deleted by mistake or roll back to a previous version, you can use the kubeconfig recycle bin. For more information, see Use the kubeconfig recycle bin.

Kubeconfig management best practices

You are responsible for managing the access credentials for your account and ACK clusters. This includes storing credentials such as RAM AccessKey pairs, tokens, and ACK kubeconfig clients securely, managing authorizations based on the principle of least privilege, and promptly removing expired or unnecessary permissions. For example, revoke access for employees who have left the company. We also recommend that you use ack-ram-authenticator to enable webhook authentication for the API server of an ACK managed cluster. This provides a more flexible and controllable RBAC authorization experience and enables automatic revocation of data-plane kubeconfig credentials when a RAM user or role is deleted.

Important

You are solely responsible for any losses resulting from leaked or expired access credentials, such as RAM credentials and kubeconfig files, due to improper management. Make sure that you have read and will comply with the shared responsibility model.

Related documents

If an employee leaves your company or you suspect a kubeconfig file has been leaked, you can revoke it and generate a new one. For more information, see Revoke the kubeconfig credentials of a cluster.

Previous:Revoke a cluster's kubeconfig fileNext:Clean up user permissions with ack-ram-tool