Delete kubeconfig files

更新时间:
复制 MD 格式

ACS issues kubeconfig files with identity credentials to Alibaba Cloud accounts, RAM users, and RAM roles for cluster access. You can view the status of issued kubeconfig files by cluster, RAM user, or RAM role, and delete files that pose security risks and revoke permissions.

Kubeconfig file overview

Kubeconfig files store the credentials that clients use to access ACS clusters. Query them in the ACS console or by calling the DescribeClusterUserKubeconfig API operation. Keep kubeconfig files confidential to prevent credential leaks.

Important

A kubeconfig file becomes invalid after the validity period of the file ends. For more information about how to query the validity period of a kubeconfig file, see Query the expiration date of the certificate used in a kubeconfig file.

Status of kubeconfig files

The following table describes the status values of kubeconfig files.

Status

Description

Not Issued

The kubeconfig file has not been issued to the RAM user or RAM role for this cluster.

Effective

The kubeconfig file has been issued and is still valid.

The kubeconfig file was deleted but Role-Based Access Control (RBAC) permissions were not revoked.

Expired

The kubeconfig file has been issued but has expired.

Deleted

The kubeconfig file has been deleted.

When you delete a kubeconfig file, the kubeconfig information and RBAC binding for the RAM user or RAM role are also deleted.

Before deleting a kubeconfig file, check its importance and validity period. For example, delete kubeconfig files issued to employees who have left the company, and address files approaching expiration to prevent business interruptions.

Important
  • Verify that no applications depend on the kubeconfig file before deletion. Otherwise, you will lose access to the cluster's API server.

  • Under the shared responsibility model, you are responsible for managing and maintaining kubeconfig files. Delete files that pose potential security risks promptly.

Kubeconfig file management

Dimension

Use case

Required permission

Example

Cluster

Manage kubeconfig files for all RAM users or RAM roles in a specific cluster.

Example of managing kubeconfig files in clusters

RAM user or RAM role

Manage all kubeconfig files issued to a specific RAM user or RAM role across clusters.

Example of managing kubeconfig files that are issued to RAM users or RAM roles

Deleted RAM user or RAM role

Manage residual kubeconfig files from deleted RAM users or RAM roles that are still in effect.

Example of deleting residual kubeconfig files

Example of managing kubeconfig files in clusters

  1. Log on to the ACS console. In the left-side navigation pane, click Authorizations.

  2. On the Authorizations page, click the KubeConfig File Management tab. Then, find the cluster that you want to manage and click KubeConfig File Management in the Actions column. The KubeConfig File Management panel appears.

    The panel lists RAM users and RAM roles that hold kubeconfig files for this cluster, including those who deleted their kubeconfig files but retain RBAC permissions:

    • User information: Username, user ID, account type, and account status

    • Kubeconfig file information: Expiration date and status

  3. After confirming that no applications use the kubeconfig file, click Delete KubeConfig File in the Actions column for the target RAM user or RAM role.

    Important
    • Make sure that no risk occurs before you delete a kubeconfig file. Otherwise, you cannot access the API server of the cluster that generates the kubeconfig file.

    • As defined in the shared responsibility model, kubeconfig files are managed and maintained by the customers of Alibaba Cloud. We recommend that you delete kubeconfig files that have potential risks as soon as possible.

    After you click Delete KubeConfig File, the system automatically accesses the audit logs of the API server to check the access records of the kubeconfig file within the previous seven days. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with cluster auditing.

Example on managing kubeconfig files that are issued to RAM users or RAM roles

  1. Log on to the ACS console. In the left-side navigation pane, click Authorizations.

  2. On the Authorizations page, click the RAM Users tab. On the RAM Users tab, find the RAM user that you want to manage and click KubeConfig Management on the right. The KubeConfig Management panel appears.

    The panel displays the kubeconfig file status across clusters for the selected RAM user or RAM role, including cluster and kubeconfig file details.

    • Cluster information: includes the name and ID of the cluster.

    • Kubeconfig file information: includes the expiration date and status of the kubeconfig file and records of access by using the kubeconfig file in the previous seven days.

  3. Delete the kubeconfig file of a cluster or delete the kubeconfig files of multiple clusters at a time. Before you delete a kubeconfig file, make sure that the kubeconfig file is not used by any applications.

    • Delete the kubeconfig file of a cluster: Find the cluster whose kubeconfig files you want to delete and click Delete KubeConfig File in the Actions column.

    • Delete the kubeconfig files of multiple clusters at a time: Select the clusters whose kubeconfig files you want to delete and click Delete KubeConfig File in the lower-left part of the panel.

      Important
      • Make sure that no risk occurs before you delete a kubeconfig file. Otherwise, you cannot access the API server of the cluster that generates the kubeconfig file.

      • As defined in the shared responsibility model, kubeconfig files are managed and maintained by the customers of Alibaba Cloud. We recommend that you delete kubeconfig files that have potential risks as soon as possible.

      Note

      After you click Delete KubeConfig File, the system automatically accesses the audit logs of the API server to check the access records of the kubeconfig file within the previous seven days. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with cluster auditing.

Example of deleting residual kubeconfig files

Use the ACK console

  1. Log on to the ACS console. In the left-side navigation pane, click Authorizations.

  2. The Authorizations page displays the following message if residual kubeconfig files of RAM users or RAM roles that have been deleted exist.image.png

  3. Click manage the kubeconfig files associated with invalid accounts in the message to go to the Delete KubeConfig Files of Deleted RAM Users/Roles page.

    This page lists deleted RAM users and RAM roles whose kubeconfig files and RBAC permissions remain in effect.

  4. Make sure that the residual kubeconfig file to be deleted is not used by any applications and click Delete KubeConfig File to the right of a deleted RAM user or RAM role to delete the kubeconfig file.

    Important
    • Make sure that no risk occurs before you delete a kubeconfig file. Otherwise, you cannot access the API server of the cluster that generates the kubeconfig file.

    • As defined in the shared responsibility model, kubeconfig files are managed and maintained by the customers of Alibaba Cloud. We recommend that you delete kubeconfig files that have potential risks as soon as possible.

    After you click Delete KubeConfig File, the system automatically accesses the audit logs of the API server to check the access records of the kubeconfig file within the previous seven days. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with cluster auditing.

FAQ about kubeconfig files

What is seven-day access record check?

The seven-day access record check determines whether a kubeconfig file was used to access the cluster in the past seven days. This feature requires API server cluster auditing to be enabled. For more information, see Work with cluster auditing. Check results are for reference only. Always verify that the kubeconfig file is not in use before deletion.

How do I understand the seven-day access record check results?

Check result

Type

Possible cause

The request is initiated

No access record is found.

The kubeconfig file is not used to access the API server of the cluster within the previous seven days.

Access records are found.

The kubeconfig file is used to access the API server of the cluster within the previous seven days.

Failed

Failed to query access records.

Seven-day access record check fails because the cluster auditing feature is disabled.

Seven-day access record check fails due to other errors such as cluster connection failures or network issues.

In which scenarios am I unable to delete kubeconfig files?

  • Abnormal cluster states: Do not delete the kubeconfig files of clusters that are in the Deletion Failed, Deleting, Deleted, and Failed states.

  • Abnormal kubeconfig file or certificate states: Do not delete kubeconfig files that are in the Not Issued, Revoked, and Unknown states.

  • You cannot delete kubecofig files held by you.

  • You cannot delete kubeconfig files issued to Alibaba Cloud accounts.

What is the best security practice for kubeconfig file management?

Manage and safeguard all credentials used to access clusters, including RAM user AccessKey pairs, tokens, and kubeconfig files. Follow the least privilege principle when granting cluster permissions, and revoke access promptly. For example, revoke cluster access for an employee's account as soon as they leave the company.

Important

Based on the shared responsibility model, you are responsible for maintaining the kubeconfig files. Make sure that the kubeconfig files are available and valid. This prevents security risks caused by kubeconfig file leaks.

References

If an employee leaves the company or a kubeconfig file is suspected to be leaked, you can revoke the kubeconfig file and generate a new kubeconfig file. For more information, see Revoke a cluster kubeconfig file.