AWS角色和用户没有任何策略，为什么我仍然可以访问K8s集群？

Question

My question: I have not any permission,why I can access K8s

[vagrant@localhost ~]$ kubectl get deployment --namespace=development
No resources found in development namespace.

---

Things below are my configuration.

$ cat ~/.kube/config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <my certificate-authority-data>
    server: https://2C1A77626A2087EBA1D1123EA9398DAF.gr7.ap-northeast-1.eks.amazonaws.com
  name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
contexts:
- context:
    cluster: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
    user: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
  name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
current-context: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - ap-northeast-1
      - eks
      - get-token
      - --cluster-name
      - eksworkshop-eksctl
      - --role
      - arn:aws:iam::056844949861:role/k8sDev
      command: aws

Here are my role and, nothing in Permissions:

Here is my user, just inline policy here:

here are my group and content of inline policy:

Answer 1

The reason you are able to access it is because the IAM user you are accessing the cluster is the same as the one used to create the cluster. The documenation states:

When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration.

In EKS, IAM users are used for authentication, but IAM roles do not control authorization. Authorization is still handled through the kubernetes RBAC system.