I have a question about giving access to k8s cluster. For example, new member joined our team. He created certificatesigningrequest and I approved it. Then created kubeconfig and give it to him to access our cluster. One day if he leave our team how can remove his access? I want he can not access to our cluster with this kubeconfig.
Asked
Active
Viewed 164 times
0
-
1as of right now, you cannot revoke client-certificates that have already been approved. you might want to consider using an external authentication provider. more information has already been asked/answered in this question: https://stackoverflow.com/questions/64906309/how-to-revoke-client-certificates-in-kubernetes – meaningqo Aug 22 '21 at 09:15
1 Answers
2
Imho you should use an external authentication provider. You can take a look at https://dexidp.io/docs/kubernetes/ which is an abstraction layer to other IDaaS-Providers like Azure, Google, Github and many more. For example, if your company uses Active Directory, you can control the access to the cluster using group memberships, where withdrawing access is then part of the company-wide leaver process.
aljoshare
- 792
- 9
- 16