Revoking Access

You can disable individual permission tiers, re-enable them later, or remove all access entirely. Revocation is immediate - there is no delay or grace period.

What Happens When Permissions Are Revoked

Regardless of environment, here’s what to expect when you revoke a permission tier:

Revoked Tier	Impact
Steady-state	We lose visibility into application health. We won’t know if the application is running or has issues.
Install	We cannot provision infrastructure or perform upgrades. The current deployment continues running.
Deploy	We cannot deploy new versions. The current version continues running.
Read-only operations	We cannot view logs or events for troubleshooting.
Read-write operations	We cannot restart pods or apply patches.
Admin operations	We cannot execute commands in containers or port-forward.

Disabling Permissions

Kubernetes
AWS

To disable a specific permission tier (e.g., prevent us from restarting pods), delete the corresponding cluster role binding.

kubectl delete clusterrolebinding <binding-name>

Once deleted, the controller immediately loses that capability. We cannot perform actions that require that permission tier until you re-enable it.

Example: Disable Admin Operations

If you enabled admin operations for a troubleshooting session and want to revoke it:

kubectl delete clusterrolebinding <admin-ops-binding>

The controller can no longer execute commands inside containers or port-forward. Read-only and read-write operations (if enabled) are unaffected.

The controller’s EC2 instance uses an IAM instance profile with attached policies. To restrict what the controller can do, detach specific policies from its IAM role.

View Current Policies

aws iam list-attached-role-policies --role-name <controller-role-name>

Detach a Policy

aws iam detach-role-policy \
  --role-name <controller-role-name> \
  --policy-arn <policy-arn>

Once detached, the controller immediately loses the permissions granted by that policy.

Re-Enabling Permissions

Kubernetes
AWS

To restore a permission tier you previously disabled, re-apply the role binding. The Terraform configuration you applied during installation contains the definitions. You can either:

Re-run terraform apply to restore all bindings to their original state
Create the specific role binding manually with kubectl

Re-attach the policy to the role:

aws iam attach-role-policy \
  --role-name <controller-role-name> \
  --policy-arn <policy-arn>

The Terraform configuration you applied during installation contains the full policy definitions. You can also re-run terraform apply to restore everything to its original state.

Revoking All Access

Kubernetes
AWS

Option 1 - Delete all cluster role bindings

kubectl get clusterrolebindings | grep <namespace> | awk '{print $1}' | xargs kubectl delete clusterrolebinding

Option 2 - Delete the namespace

kubectl delete namespace <namespace>

This removes everything - the controller, its permissions, its service accounts, and all resources in the namespace. The application will stop running. Use this only if you need to completely remove the deployment.

Option 1 - Detach all policies

First, list all policies attached to the controller’s IAM role:

aws iam list-attached-role-policies \
  --role-name <controller-role-name> \
  --query 'AttachedPolicies[].PolicyArn' \
  --output text

Then, for each policy ARN returned, run:

aws iam detach-role-policy \
  --role-name <controller-role-name> \
  --policy-arn <policy-arn-from-step-1>

The controller instance keeps running but can no longer call any AWS APIs.

Option 2 - Stop the instance

aws ec2 stop-instances --instance-ids <instance-id>

This stops the controller entirely.

Option 3 - Detach the instance profile

aws ec2 disassociate-iam-instance-profile \
  --association-id <association-id>

Once the instance profile is detached, the controller loses all IAM permissions immediately.

Auditing Permission Changes

Kubernetes
AWS

Kubernetes records all RBAC changes in the audit log. You can verify when bindings were created, modified, or deleted:

kubectl get events -n <namespace> --field-selector reason=Created

All IAM changes are recorded in AWS CloudTrail. You can verify when policies were attached, detached, or roles modified:

aws cloudtrail lookup-events \
  --lookup-attributes AttributeKey=ResourceName,AttributeValue=<controller-role-name> \
  --max-results 20

Permissions - What each permission tier allows
Security Model - The overall security architecture

Getting Started

Installation

Configuration

Security

Operations

Reference

Revoking Access

What Happens When Permissions Are Revoked

Disabling Permissions

Example: Disable Admin Operations

View Current Policies

Detach a Policy

Re-Enabling Permissions

Revoking All Access

Option 1 - Delete all cluster role bindings

Option 2 - Delete the namespace

Option 1 - Detach all policies

Option 2 - Stop the instance

Option 3 - Detach the instance profile

Auditing Permission Changes

Getting Started

Installation

Configuration

Security

Operations

Reference

Documentation Index

​What Happens When Permissions Are Revoked

​Disabling Permissions

​Example: Disable Admin Operations

​View Current Policies

​Detach a Policy

​Re-Enabling Permissions

​Revoking All Access

​Option 1 - Delete all cluster role bindings

​Option 2 - Delete the namespace

​Option 1 - Detach all policies

​Option 2 - Stop the instance

​Option 3 - Detach the instance profile

​Auditing Permission Changes

​Related

What Happens When Permissions Are Revoked

Disabling Permissions

Example: Disable Admin Operations

View Current Policies

Detach a Policy

Re-Enabling Permissions

Revoking All Access

Option 1 - Delete all cluster role bindings

Option 2 - Delete the namespace

Option 1 - Detach all policies

Option 2 - Stop the instance

Option 3 - Detach the instance profile

Auditing Permission Changes

Related