Our k8s cluster is installed by kubespray and k8s version is 1.13.5, some of my colleagues has copy the admin.conf file to his personal computer. Therefore, he can use kubectl tool to do anythings he want from remote. We have done renew the certificate by kubeadm tool from Internet document, But I found the old admin.conf still working to access the k8s cluster. It looks like even re-run cluster.yaml, because the Certificate Authorize still the same as before, therefore, the old admin.conf can be used until expire.
How should I do to avoid the guy(my colleague) access this cluster anymore?
Try delete the kube-apiserver pods in the cluster so that k8s will re-create them.
I saw something similar on my system, when I renewed the certificates, for some reason, kube-api kept access, although the old configuration file was used.