As requirements for some company, when an employee leaves the company, it is to remove data and accesses.

The problem with Kubernetes, is that you have credentials, in your kube file. So, if you leave the company, get the file with you, and copy it to your personal computer, you will be able to connect to the AKS cluster, except if you implemented network restriction for example, by authorizing only the public IP of you company.

So, one way to remove these accesses, is to renew the CA of your AKS cluster. But, all other employees must renew their credentials, after this CA rotation certificate. And to renew these credentials, you need… an Azure CLI access, with your company credentials 🙂 So this method is perfect.

You need to be careful when you do this CA rotation, because your cluster will be down for some minutes (maximum 30 minutes). Why? Because all of your pods will be redeployed with this new CA 🙂

So, to start, execute the following command:

CA rotation certificate

When it’s done, if you try to get pods for example, you will have the following error:

Verification error

So, you need to login, with az login, and get credentials again:

Try log in with az login

Now, you will be able to get your pods again:

Get your pods again

And, as you can see, the age of pods are pretty new, because they have been redeployed with the new CA.

If you use the ca.crt in your secret, for example, you will need to update them, with the following script:

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.
Find out more about ➡ VSAN from StarWind

What it will do here? It will get you ca.crt that you just get, and update each secret with this new one:

Update each secret with this new ca.crt that you just get

Views All Time
36
Views Today
63
Back to blog
The following two tabs change content below.
Florent Appointaire
Florent Appointaire is Microsoft Engineer with 5 years of experience, specialized in Cloud Technologies (Public/Hybrid/Private). He is a freelance consultant in Belgium from the beginning of 2017. He is MVP Cloud and Datacentre Management. He is MCSE Private Cloud and Hyper-V certified. His favorite products are SCVMM, SCOM, Windows Azure pack/Azure Stack and Microsoft Azure.