feature request: elastic admin team creation without relying on system:master

[LeoSpyke]

As of today, the creation of a new admin team (enable_admin=true) eventually produces an aws_auth_configmap_role output, which contains the hardcoded group system:masters. Creating additional administrative users belonging to the above-mentioned group (other than the IAM Principal used to initially bootstrap the cluster, which is neither visible nor editable) is against best practices and discouraged for security purposes; it is like using the root account in your AWS environment.

Maybe an improvement can be implemented by giving the ability to choose whether the new team should be added to the system:master or to another one created ad hoc, like with the "Development Teams", thus creating a ClusterRoleBinding to the built-in cluster-admin ClusterRole. This will have the same effect as using system:masters, but would allow those rights to be removed if necessary, by removing the group from the ClusterRoleBinding.

[askulkarni2]

I think this is a reasonable request. I will add it to our backlog.

[rodrigobersa]

Hi @LeoSpyke!

If I understand correctly, you want a way to provide another existing Role or ClusterRole to the admin-team other than the system:masters, or replace the existing for another ClusterRoleBinding attached to the cluster-admin role. Is that correct?

[Daemoen]

I'm assuming this project is now abandoned? There hasn't been any progress or work on it in a year.

[LeoSpyke]

I'm going to close this issue due to migration to EKS API and lack of interest.