We have a few k8s clusters in AWS that were created using Kops.
We are trying to improve security by setting up RBAC using service accounts and users.
Unfortunately, some of our devs were given the master/admin certificates.
Would it be possible to regenerate the master certificates without creating a new cluster?
Other best practices related to security would also be appreciated! Thanks.
This is a community wiki answer based on a solution from a similar question. Feel free to expand it.
As already mentioned in the comments, the answer to your question boils down to the below conclusions:
Currently there is no easy way to roll certificates without disruptions
You cannot disable certificates as Kubernetes relies on the PKI to authenticate
Rotating secrets should be graceful in the future as stated in this PR