I'm trying to understand how are managed RBAC authorizations for the first user that create an EKS cluster within AWS.
Or in other words : How is the cluster creator mapped to the "system:masters" group within RBAC ?
I know this doc states : "When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration."
And I understand how clusterrole cluster-admin and clusterrolebinding cluster-admin grants full admin rights to any members of the "system:masters" group.
What I can't figure out is how/where is the cluster creator user mapped to this group ? (the "automatically granted" part of the doc)
PS: I know that to add additionnal user/roles I'm supposed to use the aws-auth configmap, but this first user is not defined here and still has access to cluster.
If anyone can enlighten me please ?
Thanks in advance!
For the record I'm using a kubernetes 1.18 EKS cluster that was built with terraform via the community module here :
module "cluster" {
source = "terraform-aws-modules/eks/aws"
version = "13.2.1"
cluster_version = "1.18"
cluster_name = "memorandom-${local.id}"
vpc_id = module.vpc.vpc_id
subnets = module.vpc.private_subnets
write_kubeconfig = false
manage_aws_auth = true
worker_groups = [
{
instance_type = "t3.medium"
asg_max_size = 3
key_name = "pbenefice"
}
]
tags = local.tags
}