Skip to content

Credential Rotation

Credential rotation in AKS includes more than Kubernetes certificates. You also need rotation plans for kubeconfig access, workload credentials, image pull identities, and external secrets.

Prerequisites

  • You know which identities and certificates exist in the cluster.
  • Application teams know how to recover after rotation events.
  • A change window and rollback communication plan are prepared.

When to Use

  • Scheduled certificate rotation.
  • Secret expiration or emergency compromise response.
  • Migration from static credentials to workload identity.

Procedure

flowchart TD
    A[Inventory credentials] --> B[Rotate cluster certs or secrets]
    B --> C[Refresh clients and workloads]
    C --> D[Validate access paths]
az aks rotate-certs --resource-group $RG --name $CLUSTER_NAME --yes
az aks get-credentials --resource-group $RG --name $CLUSTER_NAME --overwrite-existing
kubectl get secret -A
kubectl rollout restart deployment/<deployment-name> -n <namespace>

Verification

kubectl auth can-i get pods --all-namespaces
kubectl get pods -A
kubectl describe serviceaccount <service-account> -n <namespace>

Rollback / Troubleshooting

  • If client access fails after certificate rotation, refresh kubeconfig and verify Entra authentication plugins.
  • If workloads lose Azure access, inspect workload identity federation settings and Key Vault access policies.
  • If image pulls fail after credential changes, validate ACR integration or secret references immediately.

See Also

Sources