Container Service for Kubernetes (ACK) issues kubeconfig files with identity credentials to Alibaba Cloud accounts, Resource Access Management (RAM) users, or RAM roles for cluster connection. You can use the kubeconfig file management feature to retrieve all issued kubeconfig statuses from both cluster-level and user-level, enabling you to revoke and deauthorize kubeconfig files with potential security exposures.
Kubeconfig file overview
Kubeconfig files store credentials that are used by clients to access ACK clusters. You can use the ACK console or call the DescribeClusterUserKubeconfig API operation to query kubeconfig files. Securely manage kubeconfig confidentials to prevent leakage that may result in security exposures such as data breaches.
A kubeconfig file has defined expiration timelines, automatically revoking access upon expiry. For query details, see How do I query the expiration date of the certificate used in a kubeconfig file?
Status of kubeconfig files
The following table describes the status of the kubeconfig files used in ACK.
Status | Description |
Not Issued | The kubeconfig file of the current cluster is not issued to the RAM user or RAM role. |
Effective | The kubeconfig file of the current cluster is issued to the RAM user or RAM role and the kubeconfig file is still valid. |
The kubeconfig file issued to the RAM user or RAM role is deleted but Role-Based Access Control (RBAC) permissions are not revoked. | |
Expired | The kubeconfig file of the current cluster is issued to the RAM user or RAM role but the kubeconfig file is expired. |
Deleted | The kubeconfig file of the current cluster is issued to the RAM user or RAM role but the kubeconfig file is deleted. If you delete the kubeconfig file, the kubeconfig information and the RBAC binding of the RAM user or RAM role are also deleted. |
To revoke active kubeconfig credentials, verify their validity and necessity first. For example, delete kubeconfig files issued to partitioned employees individually to avoid invalidating valid credentials in active use. We recommend that you use ack-ram-authenticator for API server webhook authentication in an ACK managed cluster, enabling granular RBAC control and automatic revocation of kubeconfig credentials when associated RAM users/roles are deleted.
Before deleting a kubeconfig file, ensure no operational dependencies exist. Otherwise, cluster API server access via this credential will be permanently disabled.
You are responsible for maintaining and managing kubeconfig files. Immediate revocation of compromised credentials is mandatory for security compliance.
Kubeconfig file management
Dimension | Scenario | Required permission | Example |
Cluster | Manage the kubeconfig files of all RAM users or RAM roles in an ACK cluster. |
| |
RAM user or RAM role | Manage all kubeconfig files that are issued to a RAM user or RAM role. |
| Example on managing kubeconfig files that are issued to RAM users or RAM roles |
Deleted RAM user or RAM role | Manage the residual kubeconfig files of a deleted RAM user or RAM role. The residual kubeconfig files are still in effect. |
|
Example on managing kubeconfig files in clusters
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Authorizations page, click the KubeConfig File Management tab. Then, find the target cluster and click KubeConfig File Management in the Actions column to view users holding kubeconfig files and users with historical RBAC permissions from revoked kubeconfig files.
If your account contains deleted RAM users/roles whose associated kubeconfig files remain active, the console will show a relevant notification.
User information: the username, user ID, account type, and account status.
Kubeconfig file information: the expiration date and status of the kubeconfig file.
After you confirm that the kubeconfig file of the current cluster held by a RAM user or RAM role is not used by any applications, click Delete KubeConfig File in the Actions column that corresponds to the RAM user or RAM role to delete the kubeconfig file.
ImportantBefore deleting a kubeconfig file, ensure no operational dependencies exist. Otherwise, cluster API server access via this credential will be permanently disabled.
You are responsible for maintaining and managing kubeconfig files. Immediate revocation of compromised credentials is mandatory for security compliance.
After you click Delete KubeConfig File, the system automatically checks the access records of the kubeconfig file within last 7 days from the API server audit logs. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with cluster auditing.
Example on managing kubeconfig files that are issued to RAM users or RAM roles
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Authorizations page, click the RAM Users tab, find the target RAM user, and click KubeConfig Management in the Actions column.
The KubeConfig Management panel displays the status list of kubeconfig files across all clusters associated with this RAM user.
Cluster information: includes the name and ID of the cluster.
Kubeconfig file information: includes the expiration date and status of the kubeconfig file, and 7-day audit logs (specifically certificate access logs).
Delete the kubeconfig file of a cluster or delete the kubeconfig files of multiple clusters at a time. Before you delete a kubeconfig file, make sure that the kubeconfig file is not used by any applications.
Delete the kubeconfig file of a cluster: Find the cluster whose kubeconfig files you want to delete and click Delete KubeConfig File in the Actions column.
Delete the kubeconfig files of multiple clusters at a time: Select the clusters whose kubeconfig files you want to delete and click Delete KubeConfig File in the lower-left part of the panel.
ImportantBefore deleting a kubeconfig file, ensure no operational dependencies exist. Otherwise, cluster API server access via this credential will be permanently disabled.
You are responsible for maintaining and managing kubeconfig files. Immediate revocation of compromised credentials is mandatory for security compliance.
After you click Delete KubeConfig File, the system automatically checks the access records of the kubeconfig file within last 7 days from the API server audit logs. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with cluster auditing.
Example on deleting residual kubeconfig files
ACK console
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
The Authorizations page displays the following message if residual kubeconfig files of RAM users or RAM roles that have been deleted exist.
Click manage the kubeconfig files associated with invalid accounts in the message to go to the Delete KubeConfig Files of Deleted RAM Users/Roles page.
You can view the deleted RAM users or RAM roles whose kubeconfig files and RBAC permissions are still in effect on this page.
Make sure that the residual kubeconfig file to be deleted is not used by any applications and click Delete KubeConfig File to the right of a deleted RAM user or RAM role to delete the kubeconfig file.
ImportantBefore deleting a kubeconfig file, ensure no operational dependencies exist. Otherwise, cluster API server access via this credential will be permanently disabled.
You are responsible for maintaining and managing kubeconfig files. Immediate revocation of compromised credentials is mandatory for security compliance.
After you click Delete KubeConfig File, the system automatically checks the access records of the kubeconfig file within last 7 days from the API server audit logs. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with cluster auditing.
ack-ram-tool
For more information about how to use ack-ram-tool to delete kubeconfig files, see Use ack-ram-tool to revoke the permissions of specified users on ACK clusters.
FAQs
What is 7-day access record check?
The 7-day access record check feature checks whether a kubeconfig file is used to access the corresponding cluster within the last 7 days. The check results are only for reference. You must make sure that the kubeconfig file to be deleted is not used by any applications.
To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with cluster auditing.
How do I understand the seven-day access record check results?
Check result | Type | Cause |
Successful | No access record is found. | The kubeconfig file is not used to access the cluster API server within the last 7 days. |
Access records are found. | The kubeconfig file is used to access the API server of the cluster within the last 7 days. | |
Failed | Failed to query access records. | Seven-day access record check fails because the cluster auditing feature is disabled. |
Seven-day access record check fails due to other errors such as cluster connection failures or network issues. |
In which scenarios am I unable to delete kubeconfig files?
Abnormal cluster states: Do not delete the kubeconfig files of clusters that are in the Deletion Failed, Deleting, Deleted, and Failed states.
Abnormal kubeconfig file or certificate states: Do not delete kubeconfig files that are in the Not Issued, Revoked, and Unknown states.
You cannot delete kubecofig files held by you.
You cannot delete kubeconfig files issued to Alibaba Cloud accounts.
Can I restore kubeconfig files that are accidentally deleted or restore a historical version of a kubeconfig file?
You can use the kubeconfig recycle bin to restore kubeconfig files that you accidentally deleted or restore a historical version of a kubeconfig file. For more information, see Use the kubeconfig recycle bin.
What is the best security practice for kubeconfig file management?
You need to manage accounts and credentials used to access ACK clusters and keep them confidential, such as AccessKey pairs of RAM users, tokens, and kubeconfig files. Follow the least privilege principle when you manage accounts and grant permissions on ACK clusters, and revoke permissions promptly. For example, after an employee resigns, you need to revoke the cluster access permissions from the account of the employee at the earliest opportunity. In addition, we recommend that you Use ack-ram-authenticator for API server webhook authentication in an ACK managed cluster so that the kubeconfig files and RBAC permissions of a RAM user or RAM role can be automatically revoked after the RAM user or RAM role is deleted.
You are responsible for any losses or consequences caused by the leak or expiration of credentials, such as AccessKey pairs of RAM users and kubeconfig files, due to inappropriate credential management. Make sure that you have read and understand the requirements in shared responsibility model.
References
If an employee leaves the company or a kubeconfig file is suspected to be leaked, you can revoke the kubeconfig file and generate a new kubeconfig file. For more information, see Revoke the kubeconfig file of a cluster.