Container Service for Kubernetes (ACK) signs and issues kubeconfig files that contain identity information to Alibaba Cloud accounts, Resource Access Management (RAM) users, or RAM roles. These kubeconfig files can be used to access ACK clusters. You can use the kubeconfig file management feature to view the status of kubeconfig files that are issued to an Alibaba Cloud account, RAM user, or RAM role in terms of clusters or RAM users/RAM roles. In addition, you can delete kubeconfig files that may pose security risks and revoke permissions.
Prerequisites
The feature for deleting kubeconfig files is in canary release. To use this feature, submit a ticket.
Introduction to kubeconfig files
Kubeconfig files store credentials that are used by clients to access ACK clusters. You can use the ACK console or call the DescribeClusterUserKubeconfig API operation to obtain kubeconfig files. You must keep kubeconfig files confidential to avoid data breaches caused by credential leaks.
A kubeconfig file becomes invalid after the validity period of the file ends. For more information about how to query the validity period of a kubeconfig file, see Issue 2: How do I query the expiration date of the certificate used in a kubeconfig file?
Status of kubeconfig files
The following table describes the status of the kubeconfig files used in ACK.
Status of kubeconfig files | Description |
Not Issued | The kubeconfig file of the current cluster is not issued to the RAM user or RAM role. |
Effective | The kubeconfig file of the current cluster is issued to the RAM user or RAM role and the kubeconfig file is still valid. |
The kubeconfig file issued to the RAM user or RAM role is deleted but Role-Based Access Control (RBAC) permissions are not revoked. | |
Expired | The kubeconfig file of the current cluster is issued to the RAM user or RAM role but the kubeconfig file is expired. |
Deleted | The kubeconfig file of the current cluster is issued to the RAM user or RAM role but the kubeconfig file is deleted. Deleting the kubeconfig file also deletes the kubeconfig information and the RBAC binding of the RAM user or RAM role. |
We recommend that you check the importance and validity period of a kubeconfig file that is in effect before you delete the kubeconfig file. For example, we recommend that you delete the kubeconfig files issued to resigned employees and prevent business interruptions caused by kubeconfig file expiration. In addition, we recommend that you use ack-ram-authenticator to help the API server in an ACK managed cluster complete webhook authentication so that the kubeconfig files and RBAC permissions of a RAM user or RAM role can be automatically revoked after the RAM user or RAM role is deleted.
Make sure that no risk will arise before you delete a kubeconfig file. Otherwise, you cannot access the API server of the ACK cluster that generates the kubeconfig file.
You are responsible for maintaining and managing kubeconfig files. You must delete kubeconfig files that pose security risks at the earliest opportunity.
Kubeconfig file management
Dimension | Scenarios | Required permission | Example |
Cluster | Manage the kubeconfig files of all RAM users or RAM roles in an ACK cluster. |
| |
RAM user or RAM role | Manage all kubeconfig files that are issued to a RAM user or RAM role. |
| Example on managing RAM user-level or RAM role-level kubeconfig files |
Deleted RAM user or RAM role | Manage the residual kubeconfig files of a deleted RAM user or RAM role. The residual kubeconfig files are still in effect. |
|
Example on managing cluster-level kubeconfig files
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Authorizations page, click the KubeConfig File Management tab. Then, find the cluster that you want to manage and click KubeConfig File Management to go to the KubeConfig File Management page.
You can view RAM users or RAM roles that hold the kubeconfig file of the cluster or users that have the kubeconfig file of the cluster deleted but still have RBAC permissions. This page displays the user information and certificate information contained in the kubeconfig file.
User information: includes the username, user ID, account type, and account status.
Certificate information: includes the expiration date and status of the certificate.
After you confirm that the kubeconfig file of the current cluster held by a RAM user or RAM role is not used by any applications, click Delete KubeConfig File to the right of the RAM user or RAM role to delete the kubeconfig file.
ImportantMake sure that no risk will arise before you delete a kubeconfig file. Otherwise, you cannot access the API server of the ACK cluster that generates the kubeconfig file.
You are responsible for maintaining and managing kubeconfig files. You must delete kubeconfig files that pose security risks at the earliest opportunity.
After you click Delete KubeConfig File, the system automatically accesses the audit log of the API server to check the access records of the kubeconfig file within the previous seven days. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with the cluster auditing feature of the API server.
Example on managing RAM user-level or RAM role-level kubeconfig files
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Authorizations page, click the RAM Users or RAM Roles tab. Then, find the RAM user or RAM role that you want to manage and click KubeConfig Management to go to the KubeConfig Management page.
The page displays the status of the kubeconfig files of the clusters that belong to the RAM user or RAM role, including the cluster information and certificate information contained in each kubeconfig file.
Cluster information: includes the name and ID of the cluster.
Certificate information: includes the expiration date, status, and seven-day access records by using the certificate.
Delete the kubeconfig file of a cluster or batch delete the kubeconfig files of multiple clusters. Before you delete a kubeconfig file, make sure that the kubeconfig file is not used by any applications.
Delete the kubeconfig file of a cluster: Click Delete KubeConfig File to the right of a cluster to delete its kubeconfig file.
Batch delete the kubeconfig files of multiple clusters: Select the clusters whose kubeconfig files you want to delete and click Delete KubeConfig File in the lower-left part.
ImportantMake sure that no risk will arise before you delete a kubeconfig file. Otherwise, you cannot access the API server of the ACK cluster that generates the kubeconfig file.
You are responsible for maintaining and managing kubeconfig files. You must delete kubeconfig files that pose security risks at the earliest opportunity.
After you click Delete KubeConfig File, the system automatically accesses the audit log of the API server to check the access records of the kubeconfig file within the previous seven days. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with the cluster auditing feature of the API server.
Example on deleting residual kubeconfig files
Use the ACK console
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
The Authorizations page displays the following message if there are residual kubeconfig files of RAM users or RAM roles that have been deleted.
Click manage the kubeconfig files associated with invalid accounts in the message to go to the Delete KubeConfig Files of Deleted RAM Users/Roles page.
You can view the deleted RAM users or RAM roles whose kubeconfig files and RBAC permissions are still in effect on this page.
Make sure that the residual kubeconfig file to be deleted is not used by any applications and click Delete KubeConfig File to the right of a deleted RAM user or RAM role to delete the kubeconfig file.
ImportantMake sure that no risk will arise before you delete a kubeconfig file. Otherwise, you cannot access the API server of the ACK cluster that generates the kubeconfig file.
You are responsible for maintaining and managing kubeconfig files. You must delete kubeconfig files that pose security risks at the earliest opportunity.
After you click Delete KubeConfig File, the system automatically accesses the audit log of the API server to check the access records of the kubeconfig file within the previous seven days. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with the cluster auditing feature of the API server.
Use ack-ram-tool
For more information about how to use ack-ram-tool to delete kubeconfig files, see Use ack-ram-tool to revoke the permissions of specified users on ACK clusters.
FAQ about kubeconfig files
What is seven-day access record check?
The seven-day access record check feature checks whether a kubeconfig file is used to access the corresponding cluster within the previous seven days. To use this feature, make sure that the cluster auditing feature of the API server is enabled. For more information, see Work with the cluster auditing feature of the API server. This feature has limits and the check result is only for reference. You must make sure that the kubeconfig file to be deleted is not used by any applications.
How do I read the seven-day access record check result?
Check result | Type | Cause |
Successful | No access record is found. | The kubeconfig file is not used to access the API server of the cluster within the previous seven days. |
Access records are found. | The kubeconfig file is used to access the API server of the cluster within the previous seven days. | |
Failed | Failed to query access records. | Seven-day access record check fails because cluster auditing is disabled. |
Seven-day access record check fails due to other errors such as cluster connection failures or network issues. |
Are there scenarios in which I cannot delete kubeconfig files?
Abnormal cluster states: Do not delete the kubeconfig files of clusters that are in the Deletion Failed, Deleting, Deleted, and Failed states.
Abnormal kubeconfig file or certificate states: Do not delete kubeconfig files that are in the Not Issued, Revoked, and Unknown states.
You cannot delete kubecofig files held by you.
You cannot delete kubeconfig files issued to Alibaba Cloud accounts.
Can I restore kubeconfig files that are accidentally deleted or restore a historical version of a kubeconfig file?
You can use the kubeconfig recycle bin to restore kubeconfig files that you accidentally deleted or restore a historical version of a kubeconfig file. For more information, see Use the kubeconfig recycle bin.
What is the best security practice for kubeconfig file management?
You need to manage accounts and credentials used to access ACK clusters and keep them confidential, such as AccessKey pairs of RAM users, tokens, and kubeconfig files. Follow the least privilege principle when you manage accounts and grant permissions on ACK clusters, and revoke permissions promptly. For example, after an employee resigns, you need to revoke the cluster access permissions from the account of the employee at the earliest opportunity. In addition, we recommend that you use ack-ram-authenticator to help the API server in an ACK managed cluster complete webhook authentication so that the kubeconfig files and RBAC permissions of a RAM user or RAM role can be automatically revoked after the RAM user or RAM role is deleted.
You are liable for any losses or consequences resulting from the leak or expiration of credentials, such as AccessKey pairs of RAM users and kubeconfig files, due to inappropriate credential management. Make sure that you have read and understand the requirements in Shared responsibility model.
Related topics
If an employee leaves the company or a kubeconfig file is suspected to be leaked, you can revoke the kubeconfig file and generate a new kubeconfig file.