snippetkubernetesMinor
How do I expire users credentials for Kubernetes in Azure?
Viewed 0 times
kubernetesexpirecredentialsazureforhowusers
Problem
I am looking for information on how to forcefully expire users credentials in Azure Kubernetes Service (AKS). The reason is to better understand Security models and protecting Kubernetes deployments from unauthorized access.
Scenario: You are an Administrator and your notebook is lost/stolen. Your Kubernetes credentials have been cached because you used
Thankfully this has not happened to me. However, imagine the nightmare! Now, how do we prevent unauthorized access with this scenario?
One thing I have not yet found is how/where to forcefully expire credentials after X hours. Thus requiring users to get fresh credentials every day or (X hours). What should I be looking for or where can I find documentation that talks of this?
Google searches did not render results to answer this.
Scenario: You are an Administrator and your notebook is lost/stolen. Your Kubernetes credentials have been cached because you used
az aks get-credentials .... The one who now has your notebook has been able to extract your ~/.kube/config file. They now have your Admin access!Thankfully this has not happened to me. However, imagine the nightmare! Now, how do we prevent unauthorized access with this scenario?
One thing I have not yet found is how/where to forcefully expire credentials after X hours. Thus requiring users to get fresh credentials every day or (X hours). What should I be looking for or where can I find documentation that talks of this?
Google searches did not render results to answer this.
Solution
First How to check Check certificate expiration
You can use the
Simplest remedy : you can choose to upgrade the control plance which will renew the certs and then you are good and secure as before loosing your laptop.
Automatic certificate renewal
Note : kubeadm renews all the certificates during control plane upgrade.
This feature is designed for addressing the simplest use cases; if you don’t have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure.
Note: It is a best practice to upgrade your cluster frequently in order to stay secure.
Another option is to perform Manual certificate renewal
Note: The default Kubernetes certificates normally reach their expiration date after one year.
Refer more on
You probably also need to explore the beta feature for Certificate Rotation
You can use the
kubeadm alpha certs check-expiration command to check when certificates expire on a given cluster.Simplest remedy : you can choose to upgrade the control plance which will renew the certs and then you are good and secure as before loosing your laptop.
Automatic certificate renewal
Note : kubeadm renews all the certificates during control plane upgrade.
This feature is designed for addressing the simplest use cases; if you don’t have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure.
Note: It is a best practice to upgrade your cluster frequently in order to stay secure.
Another option is to perform Manual certificate renewal
Note: The default Kubernetes certificates normally reach their expiration date after one year.
Refer more on
kubeadm alpha certs renew command usage.You probably also need to explore the beta feature for Certificate Rotation
Context
StackExchange DevOps Q#10700, answer score: 2
Revisions (0)
No revisions yet.