AWS EKS: How is the first user added to system:masters group by EKS

前端 未结 2 635
梦谈多话
梦谈多话 2021-02-04 18:54

EKS documentation says

\"When you create an Amazon EKS cluster, the IAM entity (user or role) is automatically granted system:master permissions in the c

相关标签:
2条回答
  • 2021-02-04 19:21

    I got to know the answer. Basically on the heptio server side component, the static mapping for system:master is done under /etc/kubernetes/aws-iam-authenticator/ (https://github.com/kubernetes-sigs/aws-iam-authenticator#3-configure-your-api-server-to-talk-to-the-server) which is mounted into the heptio authenticator pod. Since you do not have access to this in EKS, you cant see it. However if you do invoke the /authenticate yourself with the pre-signed request, you should get the TokenReviewStatus response from heptio authenticator showing the mapping for ARN (who created the cluster) to system:master group!

    0 讨论(0)
  • 2021-02-04 19:21

    when you create your cluster, you also install aws-iam-authenticator, and since you created the cluster, I'm sure you have ~/.aws/credentials.

    If you check the aws-auth file you can see it has aws-iam-authenticator in it.

    also you have ~/.kube/config file where you can see that iam-authenticator maps your AWS-PROFILE as a ConfigMap.

    so when over you run kubectl commandit reads kube config file to authenticate with your cluster.

    0 讨论(0)
提交回复
热议问题