How do I expire users credentials for Kubernetes in Azure?

HOW TO -️ October 18, 2021

I am looking for information on how to forcefully expire users credentials in Azure Kubernetes Service (AKS). The reason is to better understand Security models and protecting Kubernetes deployments from unauthorized access.

Scenario: You are an Administrator and your notebook is lost/stolen. Your Kubernetes credentials have been cached because you used az aks get-credentials .... The one who now has your notebook has been able to extract your ~/.kube/config file. They now have your Admin access!

Thankfully this has not happened to me. However, imagine the nightmare! Now, how do we prevent unauthorized access with this scenario?

One thing I have not yet found is how/where to forcefully expire credentials after X hours. Thus requiring users to get fresh credentials every day or (X hours). What should I be looking for or where can I find documentation that talks of this?

Google searches did not render results to answer this.


side note for reference, AWS implements this requirement through service-linked roles.