As requirements for some company, when an employee leaves the company, it is to remove data and accesses.

The problem with Kubernetes, is that you have credentials, in your kube file. So, if you leave the company, get the file with you, and copy it to your personal computer, you will be able to connect to the AKS cluster, except if you implemented network restriction for example, by authorizing only the public IP of you company.

So, one way to remove these accesses, is to renew the CA of your AKS cluster. But, all other employees must renew their credentials, after this CA rotation certificate. And to renew these credentials, you need… an Azure CLI access, with your company credentials 🙂 So this method is perfect.

You need to be careful when you do this CA rotation, because your cluster will be down for some minutes (maximum 30 minutes). Why? Because all of your pods will be redeployed with this new CA 🙂

So, to start, execute the following command:

CA rotation certificate

When it’s done, if you try to get pods for example, you will have the following error:

Verification error

So, you need to login, with az login, and get credentials again:

Try log in with az login

Now, you will be able to get your pods again:

Get your pods again

And, as you can see, the age of pods are pretty new, because they have been redeployed with the new CA.

If you use the ca.crt in your secret, for example, you will need to update them, with the following script:

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!


What it will do here? It will get you ca.crt that you just get, and update each secret with this new one:

Update each secret with this new ca.crt that you just get

Back to blog