Skip to content

Kops distrust keypair

kops distrust keypair

Distrust a keypair.


Distrust one or more keypairs in a keyset.

Distrusting removes the certificates of the specified keypairs from trust stores.

Only secondary keypairs may be distrusted.

If no keypair IDs are specified, all keypairs in the keyset that are older than the primary keypair will be distrusted.

If the keyset is specified as "all", each rotatable keyset will have all keypairs older than their respective primary keypairs distrusted.

kops distrust keypair {KEYSET [ID]... | all} [flags]


  # Distrust all cluster CA keypairs older than the primary.
  kops distrust keypair kubernetes-ca

  # Distrust a particular keypair.
  kops distrust keypair kubernetes-ca 6977545226837259959403993899

  # Distrust all rotatable keypairs older than their respective primaries.
  kops distrust keypair all


  -h, --help   help for keypair

Options inherited from parent commands

      --config string   yaml config file (default is $HOME/.kops.yaml)
      --name string     Name of cluster. Overrides KOPS_CLUSTER_NAME environment variable
      --state string    Location of state storage (kops 'config' file). Overrides KOPS_STATE_STORE environment variable
  -v, --v Level         number for the log level verbosity