# Scan Cloudflare and EKS together

Answer first: match the public Cloudflare route to the Kubernetes ingress and backend service, then decide whether the exposure is intended.

## Problem

The team needs to know which Cloudflare routes reach EKS workloads and whether any public paths skip expected authentication or WAF controls.

## App workflow/query

```text
Clanker Cloud app:
1. Open Security.
2. Select Cloudflare plus the production EKS context.
3. Ask:
Scan Cloudflare edge, DNS, WAF, tunnels, and EKS ingress for exposed paths, missing auth, and risky public API surfaces.

Optional focused app query:
Which DNS records, Workers routes, and tunnels point at the production EKS ingress?
```

## Open-source CLI equivalent

```bash
clanker security "Scan Cloudflare edge, DNS, WAF, tunnels, and EKS ingress for exposed paths, missing auth, and risky public API surfaces." --profile prod

clanker ask --cloudflare "Which DNS records, Workers routes, and tunnels point at the production EKS ingress?"
```

## Input context

Clanker Cloud app connected to AWS for EKS discovery, Cloudflare account or zone credentials configured locally, production cluster context, known domains, and any expected public/private route list.

## Output example

```text
Finding: api.example.com is proxied through Cloudflare to an AWS ALB backing ingress prod/public-api. /admin/health is reachable without auth and bypasses the Worker route that enforces JWT checks. WAF rules are active for /api/* but not /admin/*. Suggested next step: add an explicit Cloudflare rule for /admin/* and verify the ingress annotation set before exposing additional paths.
```

## Safety boundary

The scan inventories resources and performs bounded reachability checks. It does not mutate DNS, WAF, ingress, or Kubernetes objects. Remediation stays behind a reviewed plan.

## Supported providers

Cloudflare, AWS, EKS, Kubernetes, ALB, WAF.

## Next step

Generate a reviewed plan for route tightening, WAF coverage, or ingress annotation changes, then re-run the scan to confirm the public surface changed.