Container Service for Kubernetes (ACK) issues kubeconfig credentials containing identity information to Alibaba Cloud accounts, RAM users, or RAM roles to connect to clusters. If you need to recover an accidentally deleted kubeconfig file or roll back to a previous version, you can use the kubeconfig recycle bin.
Usage notes
You must use an Alibaba Cloud account or a RAM user or RAM role with the required permissions.
If you use a RAM user or RAM role, ensure it has the AliyunCSFullAccess and AliyunRAMReadOnlyAccess permissions.
You can only restore kubeconfigs that were cleared within the last 30 days. Kubeconfigs that were cleared more than 30 days ago cannot be restored. For more information about clearing kubeconfigs, see Clear a kubeconfig.
Because an Alibaba Cloud account, RAM user, or RAM role can have only one active kubeconfig per cluster, you cannot restore a previous version if an active one already exists for that identity.
Use cases
Scenario 1: Recover a deleted KubeConfig
Administrator A accidentally deletes the kubeconfig file for RAM user B on Cluster1. As a result, User B cannot connect to Cluster1. User B can then ask Administrator A to restore the deleted kubeconfig file from the recycle bin.
Scenario 2: Restore a previous KubeConfig
Administrator A deletes the v1 kubeconfig file for RAM user B on Cluster1. RAM user B then obtains a new v2 kubeconfig file from the console. However, Administrator A discovers that some applications still depend on the v1 kubeconfig file and its associated RBAC permissions.
To resolve this, Administrator A must first delete the v2 kubeconfig file, then find and restore the v1 kubeconfig file from the recycle bin.
Restore a KubeConfig
You can restore one or more kubeconfig files and their associated RBAC permissions.
Log on to the ACK console. In the left navigation pane, click Authorizations.
Click the KubeConfig File Management tab, and then click KubeConfig File Recycle Bin in the upper-right corner.
The kubeconfig recycle bin displays a list of kubeconfig files deleted within the last 30 days. The following table describes the columns in the list.
Column
Description
Username , UID
The name and ID of the Alibaba Cloud account, RAM user, or RAM role associated with the kubeconfig file.
Certificate CN
The CommonName (CN) of the client certificate in the kubeconfig file. For more information, see Reference: Client certificate CN.
Cluster Name, Cluster ID
The name and ID of the cluster associated with the kubeconfig file.
RBAC Permissions
The list of RBAC permissions associated with the kubeconfig file.
Recycled At
The time when the kubeconfig file was deleted and moved to the recycle bin.
Deletion Interval
The time when the kubeconfig file will be permanently purged.
The Recycle Bin can restore only kubeconfigs that were deleted within the last 30 days. Items older than 30 days are automatically deleted and cannot be recovered.
Click Restore for the desired record to recover the kubeconfig file and its associated RBAC permissions.
You can also select multiple records and restore them in a batch. When you perform a batch restore, avoid selecting conflicting kubeconfig files.
Delete a KubeConfig record
If you are certain a kubeconfig file is no longer needed, you can permanently delete its record from the recycle bin. This action cannot be undone.
Log on to the ACK console. In the left navigation pane, click Authorizations.
Click the KubeConfig File Management tab, and then click KubeConfig File Recycle Bin in the upper-right corner.
Find the record that you want to delete, click Delete, and then enter the Certificate CN to confirm the deletion.
Client certificate CN
In a kubeconfig, the client certificate's CN (CommonName) is the client identity for accessing a Kubernetes cluster. Different kubeconfigs correspond to different client identities. For more information, see kube-apiserver.
In ACK clusters, the client certificate CN follows the format {UserID}-{SuffixID}. In this format, UserID is the ID of the corresponding RAM user or RAM role, and SuffixID is a random string that is updated every time a kubeconfig file is deleted or revoked. This prevents historical kubeconfig files from being used to access the cluster.
FAQ
Multiple KubeConfig records for the same user
Each time a kubeconfig file is deleted or revoked, its Certificate CN is updated, creating a new record in the recycle bin.
Identify the correct KubeConfig to restore
You can check the RBAC permissions associated with each record to find the one you need. Alternatively, you can use the Certificate CN to distinguish between records. Run the following command to find the CN of a specific kubeconfig file, then locate the matching record in the recycle bin and restore it.
openssl x509 -in <(kubectl config view --kubeconfig {kubeconfig_file_name} --raw --minify --output=jsonpath='{.users[0].user.client-certificate-data}'|base64 -d) -noout -subjectWhy is the Restore button disabled?
A RAM user or RAM role can have only one active kubeconfig file for a specific cluster. If an active kubeconfig already exists for that identity and cluster, the Restore button for historical records is disabled to prevent conflicts.
To restore a historical kubeconfig file, you must first delete the currently active one. For more information, see Delete a kubeconfig file.
Causes for KubeConfig restoration failure
Insufficient RBAC permissions: Restoring a kubeconfig file also restores its associated RBAC permissions. The operation fails if the user performing the restoration lacks the necessary RBAC permissions on the cluster. For more information about how to grant permissions, see Authorize access to resources in a cluster by using RBAC.
Abnormal cluster state: If the cluster is in an abnormal state or is unreachable, the restoration fails.
Kubeconfig conflict: A RAM user or RAM role can have only one active kubeconfig per ACK cluster. If you attempt to batch restore multiple conflicting records for the same identity and cluster, ACK restores only the most recent record, and the restoration for the other records fails.
Related documents
If an employee leaves your organization or a kubeconfig file becomes a security risk, you should promptly delete it to revoke access. For instructions, see Delete a kubeconfig file.
If you suspect that an issued kubeconfig file has been compromised, revoke it to generate a new one. For instructions, see Revoke a kubeconfig credential for a cluster.