Doubt on the topic "The Admin Client Certificate" // SERIES: "Install Kubernetes the Hard Way"

I have one doubt , regarding “The Admin Client Certificate” , which I found while watching the series “Install Kubernetes the Hard Way” .

As per https://github.com/mmumshad/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md

while creating admin clinet certificate CSR we are doing it through below

openssl req -new -key admin.key -subj “/CN=admin/O=system:masters” -out admin.csr

as per my understanding CN is Common Name ( host name / computer name) & O as Organization . but what is system:masters here , which mention as Organization .

Also I found the note as below

Note: that the admin user is part of the system:masters group. This is how we are able to perform any administrative operations on Kubernetes cluster using kubectl utility.

so my question is how to create system:masters groups . or how to check all these system groups , are we binding this group with ClusterRole / ClusterRoleBinding anywhere ? what are other roles there on the system ? also while crating CSR request how we are making the user part of the system:master role by only mentioning it in O paramter .

Could you please give me a clear concept on this , or do you have any video tutorial explaining this ?

On k8s default ClusterRole is cluster-admin and default ClusterRoleBinding is system:masters that is allows super-user access to perform any action on any resource. when used in a ClusterRoleBinding , it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding , it gives full control over every resource in the role binding’s namespace, including the namespace itself.
if you want to get all clusterrole kubectl get clusterrole and for clusterrolebinding kubectl get clusterrolebinding
you can check this article https://medium.com/cruise/open-sourcing-rbacsync-48758df685b0 it simply using this tool https://github.com/cruise-automation/rbacsync