3

I am looking for information on how to forcefully expire users credentials in Azure Kubernetes Service (AKS). The reason is to better understand Security models and protecting Kubernetes deployments from unauthorized access.

Scenario: You are an Administrator and your notebook is lost/stolen. Your Kubernetes credentials have been cached because you used az aks get-credentials .... The one who now has your notebook has been able to extract your ~/.kube/config file. They now have your Admin access!

Thankfully this has not happened to me. However, imagine the nightmare! Now, how do we prevent unauthorized access with this scenario?

One thing I have not yet found is how/where to forcefully expire credentials after X hours. Thus requiring users to get fresh credentials every day or (X hours). What should I be looking for or where can I find documentation that talks of this?

Google searches did not render results to answer this.

Ta Mu
  • 6,792
  • 5
  • 43
  • 83
Steven K7FAQ
  • 666
  • 1
  • 5
  • 13

2 Answers2

2

First How to check Check certificate expiration

You can use the kubeadm alpha certs check-expiration command to check when certificates expire on a given cluster.

Simplest remedy : you can choose to upgrade the control plance which will renew the certs and then you are good and secure as before loosing your laptop.

Automatic certificate renewal

Note : kubeadm renews all the certificates during control plane upgrade.

This feature is designed for addressing the simplest use cases; if you don’t have specific requirements on certificate renewal and perform Kubernetes version upgrades regularly (less than 1 year in between each upgrade), kubeadm will take care of keeping your cluster up to date and reasonably secure.

Note: It is a best practice to upgrade your cluster frequently in order to stay secure.

Another option is to perform Manual certificate renewal

Note: The default Kubernetes certificates normally reach their expiration date after one year.

Refer more on kubeadm alpha certs renew command usage.

You probably also need to explore the beta feature for Certificate Rotation

DT.
  • 260
  • 2
  • 10
1

You would normally use an Azure AD object like a Service Principal to get the credentials for AKS using the az aks get-credentials command.

To expire the aks credentials, you need to set a policy for token expiry on the Service principal which you use.

Once you set the expiry time, kubectl will ask you to reauthenticate when the token expires.

Refer: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

This github issue can help understand as well: https://github.com/Azure/AKS/issues/133

Karthick Prabu
  • 91
  • 2