In multi-tenant scenarios, Container Service issues KubeConfig credentials to users with different roles. These KubeConfig credentials contain unique identity information about users and are used to connect to clusters. When an employee leaves the company or a KubeConfig credential is suspected to be leaked, revoking the KubeConfig credential is an important method to protect the security of the cluster. This topic describes how to revoke a KubeConfig credential in the console.

KubeConfig credentials can be revoked in the following two scenarios:
  • You can revoke your own KubeConfig credentials.
    Note If you are using an Alibaba Cloud account, you can revoke your own KubeConfig credentials only if the cluster was created no earlier than October 15, 2019.
  • You can log on to your Alibaba Cloud account to revoke KubeConfig credentials that are issued to RAM users.

Revoke your own KubeConfig credential

Notice After your KubeConfig credential is revoked, you cannot use the credential to connect to the cluster. Perform this operation with caution.
  1. Log on to the Container Service console.
  2. In the left-side navigation pane, choose Clusters > Clusters to go to the Clusters page.
  3. Click Manage in the Actions column.
    Note

    If you are using an Alibaba Cloud account, select a cluster that was created no earlier than October 15, 2019.

    If you want to revoke a KubeConfig credential that is used to access a Serverless Kubernetes cluster, select a cluster that was created after September 6, 2019.

  4. On the cluster details page, click Revoke KubeConfig.
    Kubeconfig credential
  5. In the dialog box that appears, click OK. This revokes your KubeConfig credential that is used to access the selected cluster.
    The system then automatically assigns you a new KubeConfig credential.

Use an Alibaba Cloud account to revoke a KubeConfig credential of a RAM user

  1. Log on to the Container Service Console with your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Clusters > Authorizations to go to the Authorizations page.
  3. On the RAM Users tab, select the target RAM user and click Revoke KubeConfig.
    In the dialog box that appears, you can find the clusters that the selected RAM user has access to.Revoke the credential of a RAM user
  4. Find the target cluster and clickRevoke KubeConfig.
  5. In the dialog box that appears, click OK.