AWS EKS: How is the first user added to system:masters group by EKS

Question

EKS documentation says

\"When you create an Amazon EKS cluster, the IAM entity (user or role) is automatically granted system:master permissions in the c

Answer 1

I got to know the answer. Basically on the heptio server side component, the static mapping for system:master is done under /etc/kubernetes/aws-iam-authenticator/ (https://github.com/kubernetes-sigs/aws-iam-authenticator#3-configure-your-api-server-to-talk-to-the-server) which is mounted into the heptio authenticator pod. Since you do not have access to this in EKS, you cant see it. However if you do invoke the /authenticate yourself with the pre-signed request, you should get the TokenReviewStatus response from heptio authenticator showing the mapping for ARN (who created the cluster) to system:master group!

Answer 2

when you create your cluster, you also install aws-iam-authenticator, and since you created the cluster, I'm sure you have ~/.aws/credentials.

If you check the aws-auth file you can see it has aws-iam-authenticator in it.

also you have ~/.kube/config file where you can see that iam-authenticator maps your AWS-PROFILE as a ConfigMap.

so when over you run kubectl commandit reads kube config file to authenticate with your cluster.