Connect an Amazon EKS cluster with Cloudcraft

By scanning your Amazon EKS clusters, Cloudcraft allows you to visualize workloads and pods deployed inside to generate professional-looking system architecture diagrams.

By using the existing role-based access control (RBAC) authorization method provided by Kubernetes and authorizing our existing read-only IAM entity role, Cloudcraft requires no special software or agent to look inside your clusters.

You can find more information on RBAC configuration and IAM entities in the link below:

Managing users or IAM roles for your cluster

The ability to scan Amazon EKS clusters and AWS accounts is only available to Cloudcraft Pro subscribers. Check out our pricing page for more information.

Prerequisites

Before connecting your Amazon EKS clusters with Cloudcraft, you need to connect your AWS account and generate diagrams that include your clusters.

Linked below, you will find documentation to help you connect your AWS account and familiarize yourself with Cloudcraft.

You will also want to install and configure kubectl, a tool that lets you control Kubernetes clusters through the command line. AWS requires version 1.21 or higher, but we recommend using the latest version to avoid issues.

Authorizing the Cloudcraft IAM role for view-only

Start by opening a blueprint with an existing Amazon EKS cluster or using the Auto Layout feature to generate a new blueprint.

With your AWS environment mapped into a blueprint, select the Amazon EKS cluster that you wish to scan, and click the Enable cluster scanning button that appears in the component toolbar.

Button to enable the scanning of an Amazon EKS cluster

The next screen will provide step-by-step instructions, so open a terminal window and proceed.

As the Amazon EKS cluster creator or user with admin access, open the aws-auth ConfigMap file with kubectl.

kubectl edit -n kube-system configmap/aws-auth

With the aws-auth.yaml file open in your favorite text editor, add the role details to the mapRoles section of the file, just after under the data section.

data:
  mapRoles: |
    - rolearn: <arn-for-the-readonly-cloudcraft-iam-role>
      groups:
        - cloudcraft-view-only

If the section does not exist, add it. Once done, save the file and exit.

groups refer to groups within your cluster to which you mapped the role to. The Default Roles and Role Bindings page in the Kubernetes documentation website should give you more information.

Typos and syntax errors can affect the permissions of all IAM users and roles updated within the ConfigMap file. We recommend adding a YAML linter to your favorite text editor to prevent issues.

Granting view-only access to the Cloudcraft IAM role

Our IAM role is now allowed to have view-only access, but that alone is not enough, you still need to bind the IAM role to a Kubernetes role with a ClusterRoleBinding.

A ClusterRoleBinding grants permissions defined in a role to a user or set of users in all namespaces in a cluster. Kubernetes defines some default user-facing roles, and we will use the predefined "view" role that allows view-only access to see most objects in a namespace.

Enter the multi-line command below to create the ClusterRoleBinding and grant view-only permission to users in the cloudcraft-view-only group.

cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudcraft-view-only
subjects:
  - kind: Group
    name: cloudcraft-view-only
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
EOF

Testing access to the cluster

Head back to Cloudcraft and click the Test cluster access button at the bottom of the Enable Kubernetes Cluster Scanning screen.

Button to run a test Amazon EKS cluster scan

That is it! Assuming the test passed, Cloudcraft should be able to visualize workloads and pods for this cluster.

If you want to scan other clusters, repeat the process as many times as needed.