Kubeconfig files store parameters and credentials that kubectl and other Kubernetes clients use to connect to and authenticate with ACS clusters. Kubeconfig files also contain information about clusters, users, namespaces, and the identity authentication mechanism. Alibaba Cloud Container Compute Service (ACS) signs and issues kubeconfig files containing identity information to Alibaba Cloud accounts, Resource Access Management (RAM) users, and RAM roles.
Under the shared responsibility model, you are responsible for keeping kubeconfig files secure and valid. Revoke or delete them promptly when they are no longer needed to prevent unauthorized access.
Get a kubeconfig file
Connect to a cluster over the Internet or a private connection by getting its kubeconfig file.
If you do not need long-term access to a cluster's API server, use a temporary kubeconfig file to reduce the risk of credential leaks.
For detailed steps, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Revoke a kubeconfig file
RAM users and RAM roles can revoke their own kubeconfig files. After revocation, ACS automatically generates a new kubeconfig file and binds it to the same RAM user or RAM role. The revoked file becomes invalid.
For detailed steps, see Revoke the kubeconfig file of a cluster.
Delete kubeconfig files
Permission administrators can batch delete kubeconfig files belonging to clusters, RAM users, or RAM roles they manage. Unlike revocation, deletion does not generate a replacement kubeconfig file.
When an employee leaves the organization or you need to revoke access permanently, you can use the console to delete the kubeconfig file issued to that employee to mitigate potential security risks.
For detailed steps, see Delete kubeconfig files.
What's next
If a kubeconfig file is compromised, revoke it immediately to invalidate the leaked credentials and get a new file.
When offboarding team members, delete their kubeconfig files to remove cluster access.