[EKS] [CreateCluster]: add kubernetes-admin-arn parameter to create-cluster

[robgott]

Tell us about your request
Currently when creating an EKS cluster, the IAM user creating it is implicitly mapped to the kubernetes-admin user in the cluster making them the only one that has access until the aws-auth configmap is updated.

Ideally we could specify the ARN of an IAM role/user which would be assigned as the kubernetes-admin user when calling CreateCluster.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Our standard process for creating CF stacks uses the --role-arn parameter of CreateStack to specify a role which has the appropriate permissions (the user themselves has less permissions), this results in the passed role becoming mapped to the admin user, these roles are only assumable by CloudFormation so effectively the cluster would be inaccessible unless we updated the roles to be assumable by users also.

Also another concern is that if the IAM user account that created the stack was ever deleted then the kubernetes-admin user would be essentially become orphaned, as I cannot see any way of updating this mapping (only the ability to add more mappings).

This change would simplify onboarding #44 and make the admin user assignment more transparent.

Our typical usage scenario if the flag was present would be to set this to the ARN of a Okta SSO role which would then give all the appropriate admin-level users access.

Are you currently working around this issue?
With a bunch of modifications to our standard process to separate out the CF creation process in to ones that pass a role and one that doesn't.

[beetahnator]

+1

The entity which gets the admin role should be defined explicitly.

In order to associate the [systems:master] entity with a role on cluster creation, the role has to also be given eks:createCluster and iam:Passrole (for the EKS service role).

[mikestef9]

Closing as duplicate of #554