AWS EKS: How is the first user added to system:masters group by EKS

7
votes

EKS documentation says

"When you create an Amazon EKS cluster, the IAM entity (user or role) is automatically granted system:master permissions in the cluster's RBAC configuration".

But after the EKS cluster creation, if you check the aws-auth config map, it does NOT have the ARN mapping to system:masters group. But I am able to access the cluster via kubectl. So if the aws-auth (heptio config map) DOES NOT have the my ARN (I was the one who created the EKS cluster) mapped to system:masters group, how does the heptio aws authenticator authenticate me?

2
kubernetesamazon-eks
I use heptio as well, did it to enable RBAC with permission for each service by create new service account, role, role binding, etc, and be glad to hear if there are one to all solution.BMW

2 Answers

8
votes

I got to know the answer. Basically on the heptio server side component, the static mapping for system:master is done under /etc/kubernetes/aws-iam-authenticator/ (https://github.com/kubernetes-sigs/aws-iam-authenticator#3-configure-your-api-server-to-talk-to-the-server) which is mounted into the heptio authenticator pod. Since you do not have access to this in EKS, you cant see it. However if you do invoke the /authenticate yourself with the pre-signed request, you should get the TokenReviewStatus response from heptio authenticator showing the mapping for ARN (who created the cluster) to system:master group!

0
votes

when you create your cluster, you also install aws-iam-authenticator, and since you created the cluster, I'm sure you have ~/.aws/credentials.

If you check the aws-auth file you can see it has aws-iam-authenticator in it.

also you have ~/.kube/config file where you can see that iam-authenticator maps your AWS-PROFILE as a ConfigMap.

so when over you run kubectl commandit reads kube config file to authenticate with your cluster.