Search
Join the Technical Preview Program
See how NVMe-oF removes iSCSI
bottlenecks in your HCI
Get access now
The Best Hyperconverged
Infrastructure
(HCI) for Enterprise
ROBO, SMB & Edge
Learn more
The Best Virtual SAN
for Enterprise ROBO, SMB & Edge
Learn more

Certificate rotation for your AKS cluster to improve the security

  • February 23, 2021
  • 5 min read
Florent Appointaire
Cloud and Virtualization Architect and Microsoft MVP. Florent specializes in public, private, and hybrid cloud ecosystems. An MCSE in Private Cloud, he provides technical leadership in Cloud and Datacenter Management. Florent delivers high-authority insights on Azure deployments, virtualization strategy, and optimizing enterprise-scale cloud infrastructure.
Cloud and Virtualization Architect and Microsoft MVP. Florent specializes in public, private, and hybrid cloud ecosystems. An MCSE in Private Cloud, he provides technical leadership in Cloud and Datacenter Management. Florent delivers high-authority insights on Azure deployments, virtualization strategy, and optimizing enterprise-scale cloud infrastructure.


As requirements for some company, when an employee leaves the company, it is to remove data and accesses.

The problem with Kubernetes, is that you have credentials, in your kube file. So, if you leave the company, get the file with you, and copy it to your personal computer, you will be able to connect to the AKS cluster, except if you implemented network restriction for example, by authorizing only the public IP of you company.

So, one way to remove these accesses, is to renew the CA of your AKS cluster. But, all other employees must renew their credentials, after this CA rotation certificate. And to renew these credentials, you need… an Azure CLI access, with your company credentials 🙂 So this method is perfect.

You need to be careful when you do this CA rotation, because your cluster will be down for some minutes (maximum 30 minutes). Why? Because all of your pods will be redeployed with this new CA 🙂

So, to start, execute the following command:

az aks rotate-certs -g Starwind -n Starwind

CA rotation certificate

When it’s done, if you try to get pods for example, you will have the following error:

Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca")

Verification error

So, you need to login, with az login, and get credentials again:

az aks get-credentials -g Starwind -n Starwind

Try log in with az login

Now, you will be able to get your pods again:

Get your pods again

And, as you can see, the age of pods are pretty new, because they have been redeployed with the new CA.

If you use the ca.crt in your secret, for example, you will need to update them, with the following script:

clusterName=Starwind

kubectl config use-context $clusterName

base64_encoded_ca=$(kubectl config view --raw -o jsonpath="{.clusters[?(@.name == '$clusterName')].cluster.certificate-authority-data}")




for namespace in $(kubectl get ns --no-headers | awk '{print $1}')

do

for token in $(kubectl get secrets --namespace "$namespace" --field-selector type=kubernetes.io/service-account-token -o name)

do

if [[ "$OSTYPE" == "darwin"* ]]; then

kubectl get $token --namespace "$namespace" -o yaml | sed "s/\(ca.crt:\).*/\1 ${base64_encoded_ca}/" | kubectl apply -f -

else

kubectl get $token --namespace "$namespace" -o yaml | /bin/sed "s/\(ca.crt:\).*/\1 ${base64_encoded_ca}/" | kubectl apply -f -

fi

done

done


What it will do here? It will get you ca.crt that you just get, and update each secret with this new one:

Update each secret with this new ca.crt that you just get

Related articles
Improve Your Pods Communication with Network Policies on AKS
Keep your AKS updated with KureD
Tags
Found Florent’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!