Use system:node:$nodeName as username for worker nodes

[rtripat]

To use features like TLS bootstrapping of nodes the username returned by the authenticator for nodes should be of the format "system:node:$nodeName" where $nodeName is the private DNS for EC2 instances like ip-10-0-125-14.us-west-2.compute.internal

The authenticator can accept an additional IAM role as a parameter or use the EC2 instance role to query EC2 DescribeInstances API and map instance id (returned by GetCallerIdentity) to private DNS name of the instance.

[mattlandis]

I propose we add a EC2DescribeInstancesRole to the configuration for the server and a new value {{ec2PrivateDNS}} to that can be used in the parameter substitution for the configmap. This value causes the authenticator to to use the provided role to call ec2 Describe Instance for the instance and get the private dns name.

Should it be one role or a map of account to role?

An alternative would be to have the authenticator token generation know that it is supposed to generate the dns name as the session for role on the assumed that signs the sts get caller identity request. I think this approach will over complicate the role setup for the instances and should not be used in favor of the first approach, but wanted to call it out as a possibility.

[rtripat]

Since the authenticator supports multiple accounts then it has to be a map from account to roles. I'd like it to default to using the Ec2 instance role on which its running if the override "EC2DescribeInstancesRole" isn't provided. This makes it simpler to run the authenticator in the same account as Node groups.

I also thought about the second approach but decided against it since we cannot trust the token generator to embed the correct value of private DNS.

[nckturner]

@matlan @rtripat How about only looking up the private DNS when using a new mapNodes key where the username is not specified:

mapNodes:
  - roleARN: arn:aws:iam::000000000000:role/KubernetesNodeRole
    ec2DescribeInstancesRoleARN: arn:aws:iam::000000000000:role/RoleInNodeAccount
    groups:
    - system:bootstrappers
    - aws:instances

and similarly, if the ec2DescribeInstancesRoleARN isn't provided then the authenticator will use its own EC2 Instance Role.

This gives the user a better idea of when the authenticator will lookup private DNS.