How is the "cluster creator" user of an AWS EKS cluster mapped to the "system:masters" RBAC group?

3.2k views Asked by At

I'm trying to understand how are managed RBAC authorizations for the first user that create an EKS cluster within AWS.
Or in other words : How is the cluster creator mapped to the "system:masters" group within RBAC ?

I know this doc states : "When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration."
And I understand how clusterrole cluster-admin and clusterrolebinding cluster-admin grants full admin rights to any members of the "system:masters" group.

What I can't figure out is how/where is the cluster creator user mapped to this group ? (the "automatically granted" part of the doc)

PS: I know that to add additionnal user/roles I'm supposed to use the aws-auth configmap, but this first user is not defined here and still has access to cluster.

If anyone can enlighten me please ?

Thanks in advance!

For the record I'm using a kubernetes 1.18 EKS cluster that was built with terraform via the community module here :

module "cluster" {
  source  = "terraform-aws-modules/eks/aws"
  version = "13.2.1"

  cluster_version = "1.18"
  cluster_name    = "memorandom-${local.id}"
  vpc_id          = module.vpc.vpc_id
  subnets         = module.vpc.private_subnets

  write_kubeconfig = false
  manage_aws_auth  = true

  worker_groups = [
    {
      instance_type = "t3.medium"
      asg_max_size  = 3
      key_name      = "pbenefice"
    }
  ]

  tags = local.tags
}
3

There are 3 answers

1
Pierre Benefice On BEST ANSWER

So I reached for AWS Support on this topic. And to summarize the answer was : "Most of what you are asking about is confidential information and cannot be disclosed.".

I paste the full reply here :


Thanks for reaching out to AWS Premium Support. My name is * and I understand you're curious about the implementation details of the cluster creator's being part of the system:masters group.

Most of what you are asking about is confidential information and cannot be disclosed.

However, I can tell you that the EKS Control Plane has an Authenticator component. You can enable logs for this as described here [1].

Personally, I like to think of that "automatically granted" part of the docs as an imaginary, read-only permanent object under the mapUsers: section of the aws-auth configmap. Imaginary because it's not implemented in the aws-auth configmap, but the permissions it is granted are the same as if it were there. I've created an imaginary cluster-creator user object in the example below [2] that shows the effective implementation

[1]: Amazon EKS control plane logging - https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html

[2]: Example aws-auth configmap

apiVersion: v1
data:
  mapRoles: |
    - rolearn: arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
  mapUsers: |
    # The way EKS currently bootstraps your cluster permissions, you can think of the cluster-creator having a
    # read-only permanent entry here - the effective permissions are the same
    - userarn: arn:aws:iam::111122223333:user/cluster-creator
      username: cluster-creator
      groups:
        - system:masters
    # In an actual aws-auth configmap, the cluster-creator entry above isn't there and
    # only the mapUsers below would be shown
    - userarn: arn:aws:iam::111122223333:user/admin
      username: admin
      groups:
        - system:masters
    - userarn: arn:aws:iam::111122223333:user/ops-user
      username: ops-user
      groups:
        - system:masters

The most important practical considerations regarding the cluster creator RBAC permissions are:

  • the IAM entity (user or role) that created the cluster is always going to have admin privileges (system:masters permissions)
  • if IAM entity is deleted without other IAM entities being added with the necessary permissions to the aws-auth configmap - you have two options:
    1. you must either recreate the IAM entity with the same name to regain access to your cluster, or
    2. delete the cluster and create a new cluster using a new IAM entity

I know this probably wasn't all the information you'd hoped for, but I hope it helps satisfy part of your curiosity. As I can't go into any real depth to answer your questions, I'll go ahead and resolve your case. I hope you have a wonderful day and please feel free to reach out to us anytime.

0
emag_mI On

the aws-auth map implementation for IAM - Kubernetes RBAC mapping is done with a control plane deployed dynamic webhook server(admission webhook).

  • the cluster creator is mapped in this same webhook config file that is used to authenticate and authorize other requests against the aws-auth map
  • the cluster creator is simply not written to the aws-auth map to avoid erroneous edits or changes - some entity must always have access to the cluster is the design consideration for this
  • although, we may have deleted the IAM cluster creator from the AWS IAM - so the cluster knows the creating entity, but we dont have the entity existing in the AWS account anymore
1
Arghya Sadhu On

Please note that aws-auth configMap is not the only source of truth. The initial user is coming from a MountedFile