There are many Kubernetes security scanners out there, and most give you results that say "this resource is misconfigured."

Kubesplaining tries to answer this: Given the RBAC bindings and pods you already have, how would an attacker move from a low-privilege subject to cluster-admin, host root, or kube-system secrets?

It walks the RBAC graph from every non-system subject and chains risky permissions into concrete attack paths.

Heavily inspired by Cloudsplaining, which does the same job for AWS IAM.

[dead]