Problem
The team needs to know which Cloudflare routes reach EKS workloads and whether any public paths skip expected authentication or WAF controls.
Example workflow
Scan Cloudflare and EKS together
Use this workflow when the public edge lives in Cloudflare but the application runtime lives in EKS, and neither console alone explains the full exposure path.
Clanker Cloud maps the edge-to-cluster route, checks public surfaces, and separates read-only evidence from any approved remediation.
Answer first: match the public Cloudflare route to the Kubernetes ingress and backend service, then decide whether the exposure is intended.
App workflow or query
Copy the app query below, then adjust context names, profiles, namespaces, and provider scopes for your environment.
Safety boundary
The scan inventories resources and performs bounded reachability checks. It does not mutate DNS, WAF, ingress, or Kubernetes objects. Remediation stays behind a reviewed plan.
Next step
Generate a reviewed plan for route tightening, WAF coverage, or ingress annotation changes, then re-run the scan to confirm the public surface changed.
Proof artifact
Problem, app query, context, output, and safety
Problem
The team needs to know which Cloudflare routes reach EKS workloads and whether any public paths skip expected authentication or WAF controls.
App workflow/query
Clanker Cloud app:
1. Open Security.
2. Select Cloudflare plus the production EKS context.
3. Ask:
Scan Cloudflare edge, DNS, WAF, tunnels, and EKS ingress for exposed paths, missing auth, and risky public API surfaces.
Optional focused app query:
Which DNS records, Workers routes, and tunnels point at the production EKS ingress?Open-source CLI equivalent
clanker security "Scan Cloudflare edge, DNS, WAF, tunnels, and EKS ingress for exposed paths, missing auth, and risky public API surfaces." --profile prod
clanker ask --cloudflare "Which DNS records, Workers routes, and tunnels point at the production EKS ingress?"Input context
Clanker Cloud app connected to AWS for EKS discovery, Cloudflare account or zone credentials configured locally, production cluster context, known domains, and any expected public/private route list.
Output example
Finding: api.example.com is proxied through Cloudflare to an AWS ALB backing ingress prod/public-api. /admin/health is reachable without auth and bypasses the Worker route that enforces JWT checks. WAF rules are active for /api/* but not /admin/*. Suggested next step: add an explicit Cloudflare rule for /admin/* and verify the ingress annotation set before exposing additional paths.Safety boundary
The scan inventories resources and performs bounded reachability checks. It does not mutate DNS, WAF, ingress, or Kubernetes objects. Remediation stays behind a reviewed plan.
Supported providers
Next step
Generate a reviewed plan for route tightening, WAF coverage, or ingress annotation changes, then re-run the scan to confirm the public surface changed.
Related examples
Keep going
Debug Kubernetes 502 responses
Users get HTTP 502 from a Kubernetes app even though DNS and the public load balancer are reachable.
Find an AWS cost spike
AWS spend is up sharply this week and the team needs to know which resources, services, and changes explain it.
Use Claude Code MCP with Kubernetes
Claude Code can inspect the repo, but it cannot see the running cluster, failing pods, ingress state, or cloud context without a controlled tool surface.
FAQ
Common questions
Does this workflow change infrastructure?
The scan inventories resources and performs bounded reachability checks. It does not mutate DNS, WAF, ingress, or Kubernetes objects. Remediation stays behind a reviewed plan.
Can the same pattern run from the open-source CLI?
Yes. The examples lead with the Clanker Cloud app because that is the product workflow. The public Clanker CLI powers the local runtime and remains the equivalent path for terminals, automation, and MCP clients.
Next step
Want the full example library?
Browse the proof-oriented examples for Kubernetes, cost, Cloudflare, MCP, and review-before-apply workflows.