Whenever you start a Kubernetes cluster at one of the big clouds (EKS at AWS, GKE at GCP, AKS at Azure, or Kubernetes at Digitalocean), you can generate a kubeconfig file from them, which grants you full access.
It is now very nice to work with them, but I am always concerned about what I can do if someone manages to steal it. What can I do then?
I never found a button at one of the big clouds to revoke access of the stolen kubeconfig and to regenerate a new one. Is there anything with which I can make that aspect more secure - if you have a documentation at hand, that would be appreciated.
In GKE at GCP the Kubeconfig file which is generated while the cluster creation is located in $HOME/.kube/config. The kubeconfig directory is default to $HOME/.kube/config where $HOME refers to the /home/.
1. If you want to remove user from kubeconfig file use the following command:
$ kubectl --kubeconfig=<kubeconfig-name> config unset users.<name>2. If you want to regenerate the Kubeconfig file with the previous Kubeconfig file contents try authorizing the cluster using the command:
$ gcloud container clusters get-credentials <cluster-name> --zone <zone> --project <project-id>3. If you want to restrict users to kubeconfig file, add permissions to kubeconfig file using the following permission commands:
$ chmod 644 <kubeconfig-file>- which means that the owner can read and write the file, and all others on the system can only read it.$ chmod 640 <kubeconfig-file>- that the owner has read and write permissions, the group has read permissions, and all other users have no rights to the file.$ chmod 600 <kubeconfig-file>- only the owner of the file has full read and write access to it. Once a file permission is set to 600, no one else can access the file.NOTE: Revoking the contents of Kubeconfig file after the kubeconfig file deletion is not possible, you can regenerate the contents of Kubeconfig file only by authorizing the cluster.
Refer to the documentation for more information.