An existing kubeconfig is replaced by adding a new kubeconfig and configuring the existing kubeconfig to be invalid. The existing kubeconfig remains in place, but is not used due to its invalidating configuration. The existing, now invalid, kubeconfig cannot be removed.
Optionally, you can replace the installer-generated kubeconfig. This process is also referred to as configuring the installer-generated kubceconfig to be invalid. You might do this if any of the following conditions exist:
-
You do not trust who installed the cluster.
-
The kubeconfig is leaked.
NoteA leak can occur if a third party installs the cluster. That third party has the kubeconfig and can potentially access the cluster. To increase security, replace the kubeconfig.
-
Other security-related needs exist, such as the periodic rotation of the kubeconfig.
To replace the installer-generated kubeconfig, remove the installer-generated clientCA from the API server:
-
Use the following command to import an additional CA certificate in a configmap in the
openshift-config`namespace. The CA file must be in PEM format.oc create configmap client-ca-custom -n openshift-config --from-file=ca-bundle.crt=ca.crt -
Use the following command to patch the APIServer instance:
oc patch apiserver cluster --type=merge -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}' -
Test the new clientCA certificate with a certificate signed from the new clientCA.
-
If the test is successful, you can remove the installer-generated clientCA.