Doubt on the topic "The Admin Client Certificate" // SERIES: "Install Kubernetes the Hard Way"

I have one doubt , regarding “The Admin Client Certificate” , which I found while watching the series “Install Kubernetes the Hard Way” .

As per https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md

while creating admin clinet certificate CSR we are doing it through below

openssl req -new -key admin.key -subj “/CN=admin/O=system:masters” -out admin.csr

as per my understanding CN is Common Name ( host name / computer name) & O as Organization . but what is system:masters here , which mention as Organization .

Also I found the note as below

Note: that the admin user is part of the system:masters group. This is how we are able to perform any administrative operations on Kubernetes cluster using kubectl utility.

so my question is how to create system:masters groups . or how to check all these system groups , are we binding this group with ClusterRole / ClusterRoleBinding anywhere ? what are other roles there on the system ? also while crating CSR request how we are making the user part of the system:master role by only mentioning it in O paramter .

Could you please give me a clear concept on this , or do you have any video tutorial explaining this ?