In multi-tenant scenarios, Container Service issues KubeConfig credentials to users with different roles. These KubeConfig credentials contain unique identity information about users and are used to connect to clusters. When an employee leaves the company or a KubeConfig credential is suspected to be leaked, revoking the KubeConfig credential is an important method to protect the security of the cluster. This topic describes how to revoke a KubeConfig credential in the console.
- You can revoke your own KubeConfig credentials.
Note If you are using an Alibaba Cloud account, you can revoke your own KubeConfig credentials only if the cluster was created no earlier than October 15, 2019.
- You can log on to your Alibaba Cloud account to revoke KubeConfig credentials that are issued to RAM users.
Revoke your own KubeConfig credential
- Log on to the Container Service console.
- In the left-side navigation pane, choose Clusters page. to go to the
- Click Manage in the Actions column.
If you are using an Alibaba Cloud account, select a cluster that was created no earlier than October 15, 2019.
If you want to revoke a KubeConfig credential that is used to access a Serverless Kubernetes cluster, select a cluster that was created after September 6, 2019.
- On the cluster details page, click Revoke KubeConfig.
- In the dialog box that appears, click OK. This revokes your KubeConfig credential that is used to access the selected cluster.
The system then automatically assigns you a new KubeConfig credential.
Use an Alibaba Cloud account to revoke a KubeConfig credential of a RAM user
- Log on to the Container Service Console with your Alibaba Cloud account.
- In the left-side navigation pane, choose Authorizations page. to go to the
- On the RAM Users tab, select the target RAM user and click Revoke KubeConfig.
In the dialog box that appears, you can find the clusters that the selected RAM user has access to.
- Find the target cluster and clickRevoke KubeConfig.
- In the dialog box that appears, click OK.