Reputation: 545
How to revoke tokens from aks get-credentials?
The command az aks get-credentials gives clients a token that allows them to connect to Kubernetes. Where are these stored on the Azure side, and how can I revoke them?
Upvotes: 1
Views: 1878
Answers (1)
Reputation: 1051
Client tokens can be revoked by running az aks rotate-certificates. This operation can incur downtime, so is not the ideal method to use for fine-grained revokation. See https://learn.microsoft.com/en-us/azure/aks/certificate-rotation.
To be able to revoke individual access (for example when someone leaves the company), you should be setting up your cluster with RBAC. You can then add and remove users/groups via RoleBinding resources which will reflect access grants/restrictions immediately after making a change. Users should be granted "Azure Kubernetes Service Cluster User Role" rather than the Admin role. Please see detailed instructions on Active Directory integrated RBAC here: https://learn.microsoft.com/en-us/azure/aks/azure-ad-rbac
Upvotes: 4
Related Questions
- Azure Kubernetes Error when running "az aks get-credentials" command
- Azure AKS Client Secret expired - How to change?
- How to obtain Azure credentials using kubectl?
- How to revoke an azure DevOps token with only the token value known?
- How to revoke a token Apereo CAS Oauth
- How can block azure aks get-credentials --admin and allow azure aks get-credentials only on azure?
- Set authentication-token-webhook-config-file
- Revoke a refresh token on Azure AD B2C
- How to revoke Asana OAuth tokens?
- Azure AD: revoke authorization code?