All Products
Search

This Product

    Container Service for Kubernetes:Revoke a cluster's kubeconfig file

    Document Center

    Container Service for Kubernetes:Revoke a cluster's kubeconfig file

    Last Updated:Mar 25, 2026

    In multi-tenant scenarios, Container Service for Kubernetes (ACK) signs and issues kubeconfig files containing identity information to users with different roles. When an employee leaves or a kubeconfig file is exposed, revoke it to prevent unauthorized cluster access.

    Important

    Deleting a RAM user or RAM role does not automatically revoke the RBAC permissions in their kubeconfig file. Always revoke the kubeconfig before deleting the RAM user.

    Prerequisites

    Before you begin, ensure that you have:

    • An ACK cluster created after the following dates:

      • ACK managed cluster or ACK dedicated cluster: October 15, 2019

      • ACK Serverless cluster: September 6, 2019

    • Access to the ACK console using an Alibaba Cloud account or a RAM user

    Who can revoke what

    ActorWhat can be revoked
    Alibaba Cloud accountkubeconfig files of all RAM users and RAM roles managed by the account
    RAM userThe RAM user's own kubeconfig file

    After revoking a kubeconfig file, ACK automatically assigns a new kubeconfig file to the cluster.

    Revoke kubeconfig files as an Alibaba Cloud account

    Use this procedure to revoke kubeconfig files for RAM users and RAM roles managed by your Alibaba Cloud account — for example, when an employee leaves.

    Important

    An Alibaba Cloud account can only revoke kubeconfig files of RAM users or RAM roles it manages.

    1. Log on to the ACK console. In the left-side navigation pane, click Authorizations.

    2. On the RAM Users tab, find the target RAM user and click KubeConfig Management to view the clusters created by the RAM user.

    3. In the Actions column, click Delete KubeConfig File and follow the prompts to complete the revocation.

    Revoke your own kubeconfig file as a RAM user

    Use this procedure to revoke your own kubeconfig file when it is no longer needed or has been exposed.

    Important

    After the kubeconfig file is revoked, you can no longer use it to access the corresponding cluster.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the target cluster. In the left-side navigation pane, click Cluster Information.

    3. On the Connection Information tab, click Revoke KubeConfig, and then click OK.

    Revoke kubeconfig for a permanently deleted RAM user

    If a RAM user was deleted before their kubeconfig was revoked, ACK cannot automatically clean up the associated Role-Based Access Control (RBAC) bindings. Follow the steps below based on whether the RAM user is in the recycle bin.

    Important

    Before revoking, make sure no application in the cluster relies on the permissions in that kubeconfig file.

    If the RAM user is in the recycle bin

    1. Restore the basic information of the RAM user from the recycle bin. You do not need to restore the AccessKey pair. For details, see Restore a RAM user from the recycle bin.

    2. As the Alibaba Cloud account, revoke the kubeconfig files for all clusters created by the RAM user. For details, see Revoke kubeconfig files as an Alibaba Cloud account.

    3. Move the RAM user back to the recycle bin. For details, see Move a RAM user to the recycle bin.

    If the RAM user is permanently deleted

    Manually delete the RBAC bindings associated with the deleted RAM user or RAM role.

    ACK's authorization module names bindings using the RAM user or role ID:

    Binding typeNaming format
    ClusterRoleBindingxxxxxxx-clusterrolebinding
    RoleBindingxxxxxxx-yyyyy-rolebinding

    The ID prefix indicates the principal type: 2 = RAM user, 3 = RAM role.

    Step 1: List ClusterRoleBindings

    Run the following command as the cluster administrator:

    kubectl get clusterrolebinding

    Identify bindings that start with the deleted user's or role's ID.

    Step 2: List RoleBindings

    kubectl get rolebinding -A | grep 'cs:ns:'

    Identify bindings that start with the deleted user's or role's ID.

    Step 3: Verify whether the RAM user or role still exists

    • For bindings with a prefix of 2 (RAM user): Go to the RAM console, open the Users page, and search by the RAM user ID. If the user is not found, delete the binding.

    • For bindings with a prefix of 3 (RAM role): Call the ListRoles API and check whether the RAM role ID appears in the response. If it does not, delete the binding.

    Step 4: Delete the orphaned bindings

    kubectl delete clusterrolebinding xxxxxxx-clusterrolebinding
kubectl delete rolebinding xxxxxxx-yyyyy-rolebinding -n zzzz

    Replace xxxxxxx with the RAM user or role ID, yyyyy with the binding identifier, and zzzz with the namespace of the RoleBinding.