- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
By scanning your Amazon EKS clusters, Cloudcraft allows you to generate system architecture diagrams to help visualize your deployed workloads and pods.
Cloudcraft uses the role-based access control (RBAC) authorization method provided by Kubernetes to authorize Cloudcraft’s existing read-only IAM entity role. That means Cloudcraft requires no special software or agent.
To learn more about RBAC configuration and IAM entities, see Managing users or IAM roles for your cluster.
Before connecting your Amazon EKS clusters with Cloudcraft, you must connect your AWS account and generate diagrams that include your clusters.
To connect your AWS account and familiarize yourself with Cloudcraft, see the following articles:
Install and configure kubectl
, a tool that allows you to control Kubernetes clusters through the command line. Cloudcraft recommends using the latest version to avoid issues.
In addition, in order to scan your cluster successfully, Cloudcraft requires clusters to have public access enabled and no IP filtering applied. The Public Access Source Allow List option in the networking configuration must remain set to its default value of 0.0.0.0/0.
Start by opening a blueprint with an existing Amazon EKS cluster or using the Auto Layout feature to generate a new blueprint.
With your AWS environment mapped into a blueprint, select the Amazon EKS cluster that you wish to scan, and click the Enable cluster scanning button that appears in the component toolbar.
The next screen provides step-by-step commands to run in Terminal.
As the Amazon EKS cluster creator or user with admin access, open the aws-auth ConfigMap file with kubectl
.
kubectl edit -n kube-system configmap/aws-auth
With the aws-auth.yaml
file open in a text editor, add the role details to the mapRoles section of the file, just after under the data section.
data:
mapRoles: |
- rolearn: <arn-for-the-readonly-cloudcraft-iam-role>
groups:
- cloudcraft-view-only
If the section does not exist, add it. Once done, save the file and exit.
Next, use ClusterRoleBinding to bind the IAM role to a Kubernetes role.
A ClusterRoleBinding grants permissions defined in a role to a user or set of users in all namespaces in a cluster. Kubernetes defines some default user-facing roles. For Cloudcraft, use the predefined “view” role that allows view-only access to most objects in a namespace.
Enter the following multi-line command to create the ClusterRoleBinding and grant view-only permission to users in the cloudcraft-view-only group.
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cloudcraft-view-only
subjects:
- kind: Group
name: cloudcraft-view-only
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
EOF
To test that Cloudcraft can access to the cluster, click Test cluster access at the bottom of the Enable Kubernetes Cluster Scanning screen.
To scan other clusters, repeat the process as many times as needed.