AWS EKS:第一个用户是如何被 EKS 添加到 system:masters 组的 [英] AWS EKS: How is the first user added to system:masters group by EKS

问题描述

EKS 文档说

当您创建 Amazon EKS 集群时，IAM 实体(用户或角色)会在集群的 RBAC 配置中自动获得 system:master 权限".

"When you create an Amazon EKS cluster, the IAM entity (user or role) is automatically granted system:master permissions in the cluster's RBAC configuration".

但是在 EKS 集群创建之后，如果您检查 aws-auth 配置映射，它没有到 system:masters 组的 ARN 映射.但是我可以通过 kubectl 访问集群.因此，如果 aws-auth(heptio 配置映射)没有将我的 ARN(我是创建 EKS 集群的人)映射到 system:masters 组，那么 heptio aws 身份验证器如何对我进行身份验证?

But after the EKS cluster creation, if you check the aws-auth config map, it does NOT have the ARN mapping to system:masters group. But I am able to access the cluster via kubectl. So if the aws-auth (heptio config map) DOES NOT have the my ARN (I was the one who created the EKS cluster) mapped to system:masters group, how does the heptio aws authenticator authenticate me?

推荐答案

我知道答案了.基本上在 heptio 服务器端组件上，system:master 的静态映射在/etc/kubernetes/aws-iam-authenticator/(https://github.com/kubernetes-sigs/aws-iam-authenticator#3-configure-your-api-server-to-talk-to-the-server)，它安装在 heptio 身份验证器 pod 中.由于您无法在 EKS 中访问它，因此您无法看到它.但是，如果您确实使用预签名请求调用/authenticate 自己，您应该从 heptio 身份验证器获得 TokenReviewStatus 响应，显示 ARN(创建集群的人)到 system:master 组的映射！

I got to know the answer. Basically on the heptio server side component, the static mapping for system:master is done under /etc/kubernetes/aws-iam-authenticator/ (https://github.com/kubernetes-sigs/aws-iam-authenticator#3-configure-your-api-server-to-talk-to-the-server) which is mounted into the heptio authenticator pod. Since you do not have access to this in EKS, you cant see it. However if you do invoke the /authenticate yourself with the pre-signed request, you should get the TokenReviewStatus response from heptio authenticator showing the mapping for ARN (who created the cluster) to system:master group!

这篇关于AWS EKS:第一个用户是如何被 EKS 添加到 system:masters 组的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！