In multi-tenant scenarios, Alibaba Cloud Container Compute Service (ACS) signs and issues kubeconfig files that contain identity information to users with different roles. The kubeconfig files can be used to connect to ACS clusters. When an employee resigns or an issued kubeconfig file is disclosed, you can revoke the kubeconfig file to protect the cluster uses the kubeconfig file. This topic describes how to use an Alibaba Cloud account or a Resource Access Management (RAM) user to revoke an issued kubeconfig file.
Usage notes
You may need to revoke kubeconfig files in the following scenarios:
Use an Alibaba Cloud account to revoke the kubeconfig files of all RAM users managed by the Alibaba Cloud account.
Use a RAM user to revoke the kubeconfig file of the RAM user.
After you revoke the kubeconfig file used to access a cluster, the system automatically assigns a new kubeconfig file to the cluster.
Use an Alibaba Cloud account to revoke the kubeconfig files of all RAM users managed by the Alibaba Cloud account
You can use an Alibaba Cloud account to revoke the kubeconfig files of only RAM users or RAM roles managed by the Alibaba Cloud account.
Use an Alibaba Cloud account to log on to the ACS console and perform the following steps:
Log on to the ACS console. In the left-side navigation pane, click Permission Management.
In the username list on the RAM Users tab, click KubeConfig Management for a RAM user to view the list of clusters created by the RAM user. Then, follow the instructions to revoke kubeconfig files.
Use a RAM user to revoke the kubeconfig file of the RAM user
Use a RAM user to log on to the ACS console and perform the following steps:
After the kubeconfig file is revoked, the RAM user can no longer use the kubeconfig file to access the corresponding cluster. Proceed with caution.
Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its ID. In the left-side navigation pane, click Cluster Information.
Click the Connection Information tab, click Revoke KubeConfig, and then click OK.
Revoke the kubeconfig file of a resigned employee or an untrusted user
To delete the RAM user or RAM role used by a resigned employee or an untrusted user, you must first use an Alibaba Cloud account to revoke the kubeconfig file of the RAM user or RAM role. Deleting only the RAM user or RAM role does not revoke the Role-Based Access Control (RBAC) permissions in the kubeconfig file of the RAM user or RAM role.
Before you revoke the kubeconfig file of a resigned employee or an untrusted user, make sure that no application in the corresponding cluster relies on the permissions in the kubeconfig file, and then delete the RAM user. For more information, see Use an Alibaba Cloud account to revoke the kubeconfig files of all RAM users managed by the Alibaba Cloud account.