cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

feat: Ingest Kubernetes resources through EKS access entries

Open ishaanverma opened this issue 3 months ago • 0 comments

Summary

Describe your changes.

this pr adds support for syncing aws eks cluster resources via eks access entries. a user would need to first create an EKS access entry with an appropriate access policy for this to work.

the feature is enabled by a flag and does not require modifying the aws-auth configmap or creating a custom kubeconfig file. enable it with:

AWS_PROFILE=security-cartography AWS_DEFAULT_REGION=us-east-1 \
uv run cartography \
 --neo4j-uri bolt://localhost:7687 \
 --selected-modules aws \
 --aws-requested-syncs eks \
 --aws-eks-sync-cluster-resources

Related issues or links

Include links to relevant issues or other pages.

  • https://github.com/cartography-cncf/cartography/issues/...

Checklist

Provide proof that this works (this makes reviews move faster). Please perform one or more of the following:

  • [x] Update/add unit or integration tests.
  • [ ] Include a screenshot showing what the graph looked like before and after your changes.
  • [x] Include console log trace showing what happened before and after your changes.

If you are changing a node or relationship:

If you are implementing a new intel module:

  • [x] Use the NodeSchema data model.

  • [x] Confirm that the linter actually passes (submitting a PR where the linter fails shows reviewers that you did not test your code and will delay your review).

INFO:cartography.sync:Starting sync with update tag '1761001648'
INFO:cartography.sync:Starting sync stage 'aws'
INFO:cartography.intel.aws:Syncing AWS accounts: XXX
INFO:cartography.intel.aws:Syncing AWS account with ID 'XXX' using configured profile 'XXX'.
INFO:cartography.intel.aws:Trying to autodiscover accounts.
WARNING:cartography.intel.aws:The current account (XXX) doesn't have enough permissions to perform autodiscovery.
INFO:cartography.intel.aws.eks:Syncing EKS for region 'us-east-1' in account 'XXX'.
INFO:cartography.intel.aws.eks:Syncing EKS cluster resources for cluster 'testing' in region 'us-east-1' in account 'XXX'.
INFO:cartography.intel.kubernetes:Syncing data for k8s cluster testing...
INFO:cartography.intel.kubernetes.clusters:Loading 'testing' Kubernetes cluster into graph
INFO:cartography.intel.kubernetes.namespaces:Loading 48 kubernetes namespaces.
INFO:cartography.graph.statement:Completed KubernetesNamespace statement #1
INFO:cartography.graph.statement:Completed KubernetesNamespace statement #2
INFO:cartography.graph.job:Finished job KubernetesNamespace
INFO:cartography.intel.kubernetes.rbac:Syncing Kubernetes RBAC resources for cluster testing
INFO:cartography.intel.kubernetes.rbac:Loading 22 KubernetesUsers
INFO:cartography.intel.kubernetes.rbac:Loading 15 KubernetesGroups
INFO:cartography.intel.kubernetes.rbac:Loading 183 KubernetesServiceAccounts
INFO:cartography.intel.kubernetes.rbac:Loading 73 KubernetesRoles
INFO:cartography.intel.kubernetes.rbac:Loading 219 KubernetesClusterRoles
INFO:cartography.intel.kubernetes.rbac:Loading 80 KubernetesRoleBindings
INFO:cartography.intel.kubernetes.rbac:Loading 183 KubernetesClusterRoleBindings
INFO:cartography.graph.statement:Completed KubernetesServiceAccount statement #1
INFO:cartography.graph.statement:Completed KubernetesServiceAccount statement #2
INFO:cartography.graph.statement:Completed KubernetesServiceAccount statement #3
INFO:cartography.graph.job:Finished job KubernetesServiceAccount
INFO:cartography.graph.statement:Completed KubernetesRole statement #1
INFO:cartography.graph.statement:Completed KubernetesRole statement #2
INFO:cartography.graph.statement:Completed KubernetesRole statement #3
INFO:cartography.graph.job:Finished job KubernetesRole
INFO:cartography.graph.statement:Completed KubernetesRoleBinding statement #1
INFO:cartography.graph.statement:Completed KubernetesRoleBinding statement #2
INFO:cartography.graph.statement:Completed KubernetesRoleBinding statement #3
INFO:cartography.graph.statement:Completed KubernetesRoleBinding statement #4
INFO:cartography.graph.statement:Completed KubernetesRoleBinding statement #5
INFO:cartography.graph.statement:Completed KubernetesRoleBinding statement #6
INFO:cartography.graph.statement:Completed KubernetesRoleBinding statement #7
INFO:cartography.graph.job:Finished job KubernetesRoleBinding
INFO:cartography.graph.statement:Completed KubernetesClusterRole statement #1
INFO:cartography.graph.statement:Completed KubernetesClusterRole statement #2
INFO:cartography.graph.job:Finished job KubernetesClusterRole
INFO:cartography.graph.statement:Completed KubernetesClusterRoleBinding statement #1
INFO:cartography.graph.statement:Completed KubernetesClusterRoleBinding statement #2
INFO:cartography.graph.statement:Completed KubernetesClusterRoleBinding statement #3
INFO:cartography.graph.statement:Completed KubernetesClusterRoleBinding statement #4
INFO:cartography.graph.statement:Completed KubernetesClusterRoleBinding statement #5
INFO:cartography.graph.statement:Completed KubernetesClusterRoleBinding statement #6
INFO:cartography.graph.job:Finished job KubernetesClusterRoleBinding
INFO:cartography.graph.statement:Completed KubernetesUser statement #1
INFO:cartography.graph.statement:Completed KubernetesUser statement #2
INFO:cartography.graph.statement:Completed KubernetesUser statement #3
INFO:cartography.graph.statement:Completed KubernetesUser statement #4
INFO:cartography.graph.statement:Completed KubernetesUser statement #5
INFO:cartography.graph.job:Finished job KubernetesUser
INFO:cartography.graph.statement:Completed KubernetesGroup statement #1
INFO:cartography.graph.statement:Completed KubernetesGroup statement #2
INFO:cartography.graph.statement:Completed KubernetesGroup statement #3
INFO:cartography.graph.statement:Completed KubernetesGroup statement #4
INFO:cartography.graph.statement:Completed KubernetesGroup statement #5
INFO:cartography.graph.job:Finished job KubernetesGroup
INFO:cartography.intel.kubernetes.pods:Loading 149 kubernetes pods.
INFO:cartography.intel.kubernetes.pods:Loading 192 kubernetes containers.
INFO:cartography.graph.statement:Completed KubernetesContainer statement #1
INFO:cartography.graph.statement:Completed KubernetesContainer statement #2
INFO:cartography.graph.statement:Completed KubernetesContainer statement #3
INFO:cartography.graph.statement:Completed KubernetesContainer statement #4
INFO:cartography.graph.job:Finished job KubernetesContainer
INFO:cartography.graph.statement:Completed KubernetesPod statement #1
INFO:cartography.graph.statement:Completed KubernetesPod statement #2
INFO:cartography.graph.statement:Completed KubernetesPod statement #3
INFO:cartography.graph.job:Finished job KubernetesPod
INFO:cartography.intel.kubernetes.secrets:Loading 142 KubernetesSecrets
INFO:cartography.graph.statement:Completed KubernetesSecret statement #1
INFO:cartography.graph.statement:Completed KubernetesSecret statement #2
INFO:cartography.graph.statement:Completed KubernetesSecret statement #3
INFO:cartography.graph.job:Finished job KubernetesSecret
INFO:cartography.intel.kubernetes.services:Loading 117 KubernetesServices
INFO:cartography.graph.statement:Completed KubernetesService statement #1
INFO:cartography.graph.statement:Completed KubernetesService statement #2
INFO:cartography.graph.statement:Completed KubernetesService statement #3
INFO:cartography.graph.statement:Completed KubernetesService statement #4
INFO:cartography.graph.job:Finished job KubernetesService
INFO:cartography.intel.aws.eks:Running EKS cluster cleanup
INFO:cartography.graph.statement:Completed EKSCluster statement #1
INFO:cartography.graph.statement:Completed EKSCluster statement #2
INFO:cartography.graph.job:Finished job EKSCluster
INFO:cartography.graph.statement:Completed aws_ec2_iaminstanceprofile statement #1
INFO:cartography.graph.statement:Completed aws_ec2_iaminstanceprofile statement #2
INFO:cartography.graph.job:Finished job aws_ec2_iaminstanceprofile
INFO:cartography.graph.statement:Completed aws_lambda_ecr statement #1
INFO:cartography.graph.statement:Completed aws_lambda_ecr statement #2
INFO:cartography.graph.job:Finished job aws_lambda_ecr
INFO:cartography.graph.statement:Completed aws_post_ingestion_principals_cleanup statement #1
INFO:cartography.graph.job:Finished job aws_post_ingestion_principals_cleanup
INFO:cartography.util:Did not run aws_ec2_asset_exposure.json because it needs {'ec2:instance', 'ec2:load_balancer', 'ec2:load_balancer_v2', 'ec2:security_group'} to be included as a requested sync. You specified: {'eks'}. If you want this job to run, please change your CLI args/cartography config so that all required resources are included.
INFO:cartography.util:Did not run aws_ec2_keypair_analysis.json because it needs {'ec2:keypair'} to be included as a requested sync. You specified: {'eks'}. If you want this job to run, please change your CLI args/cartography config so that all required resources are included.
INFO:cartography.graph.statement:Completed aws_eks_asset_exposure statement #1
INFO:cartography.graph.statement:Completed aws_eks_asset_exposure statement #2
INFO:cartography.graph.job:Finished job aws_eks_asset_exposure
INFO:cartography.graph.statement:Completed aws_foreign_accounts statement #1
INFO:cartography.graph.statement:Completed aws_foreign_accounts statement #2
INFO:cartography.graph.job:Finished job aws_foreign_accounts
INFO:cartography.sync:Finishing sync stage 'aws'
INFO:cartography.sync:Finishing sync with update tag '1761001648'

ishaanverma avatar Sep 25 '25 05:09 ishaanverma