Kubesplaining: Kubernetes security assessment CLI for RBAC and privilege escalation path analysis

Most Kubernetes security scanners are effectively glorified linting tools; they flag a privileged container or a wildcard RBAC binding and leave the 'so what?' to the operator. Kubesplaining takes a more aggressive, red-team approach by treating the cluster as a graph of capabilities. By analyzing RBAC bindings and pod configurations, it calculates actual attack vectors—specifically how a compromised ServiceAccount can leverage permissions to pivot through other identities until it hits a critical sink like cluster-admin or host root. The technical execution is clean. The separation between the 'collector' (which interacts with the K8s API) and the 'analyzer' (which processes a JSON snapshot) is a high-water mark for tool design. This allows security engineers to capture state on a production jumphost and perform the actual analysis on a local machine without risking credential exposure. The inclusion of SARIF output further demonstrates an understanding of the modern DevSecOps pipeline, enabling direct integration with GitHub code scanning. While the tool is powerful, its reliance on structural possibility rather than operational reality means it can produce false positives—reporting paths that are technically open but blocked by external factors. However, the inclusion of a robust exclusions system and severity attenuation based on hop-count shows a practical attempt to manage this noise. It doesn't attempt to be a real-time enforcement engine, which is a wise boundary to maintain. This is a must-have for anyone managing complex RBAC environments or performing security audits. It transforms a dry list of 'Critical' findings into a narrative of how a cluster would actually be compromised, making it an invaluable tool for convincing stakeholders to prioritize remediation.