explaingit

0hardik1/kubesplaining

Analysis updated 2026-05-18

33GoAudience · ops devopsComplexity · 3/5Setup · easy

TLDR

A command line tool that maps out exactly how an attacker could chain misconfigurations in a Kubernetes cluster to reach full control, with evidence and fixes for each step.

Mindmap

mindmap
  root((Kubesplaining))
    What it does
      Kubernetes security scanner
      Privilege escalation graph
      Attack path mapping
    Tech stack
      Go
      Kubernetes
      CLI binary
    Use cases
      Cluster audits
      CI security gates
      Incident replay
    Checks
      RBAC misconfig
      Pod escape surface
      Network isolation
    Audience
      Security engineers
      DevOps teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan a live Kubernetes cluster to find privilege escalation paths before an important release.

USE CASE 2

Analyze a saved cluster snapshot offline for an audit or air-gapped review.

USE CASE 3

Run in CI mode to block a pipeline when new high severity security findings appear.

USE CASE 4

Check a single Kubernetes manifest file for risky configuration without needing cluster access.

What is it built with?

GoKubernetesDockerCLI

How does it compare?

0hardik1/kubesplaining732124645/promptopsinternetkafe/cfsearch
Stars333135
LanguageGoGoGo
Setup difficultyeasyeasymoderate
Complexity3/53/52/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Needs a working kubectl context pointed at the cluster you want to scan, or a manifest file for offline checks.

In plain English

Kubesplaining is a command line security tool for Kubernetes, the platform many companies use to run and manage containerized applications at scale. The tool acts like a simulated attacker, reading your cluster's configuration and mapping out every possible path a real attacker could follow to gain full control. Instead of just flagging individual misconfigurations one at a time, it builds a graph showing how several small issues chain together, tracing the exact sequence of steps from a low-privilege account all the way to complete cluster takeover, host root access, or read access to sensitive system secrets. It checks a wide range of problems: overly permissive access controls, containers running with too many privileges, missing network isolation rules, security checks that can be bypassed, and weak handling of secrets and service account tokens. For each finding, it names the specific technique, shows the supporting evidence pulled from your cluster, and gives concrete remediation steps, including ready-to-apply patches or policy files. Results can be exported as an HTML report for human review, or as JSON, CSV, and SARIF for feeding into other tools and GitHub's code scanning. You can run Kubesplaining directly against a live cluster using your existing kubectl connection, capture a snapshot and analyze it later offline for audits, or check a single Kubernetes manifest file without needing cluster access at all. It also supports a continuous integration mode that fails a pipeline only when new high severity findings appear compared to a previous baseline, so it can run automatically on every change. A security engineer, DevOps team, or developer responsible for a Kubernetes environment would use this to audit a cluster before an important release, prepare for a security review, run penetration testing engagements, or reconstruct how an attacker moved through the cluster after an incident. It is written in Go, ships as a single binary, and installs via a prebuilt release, Go install, Docker, or a clone-and-build workflow.

Copy-paste prompts

Prompt 1
Explain how Kubesplaining builds a privilege escalation graph from RBAC bindings and pod configuration.
Prompt 2
Walk me through running kubesplaining scan against my current kubectl context and reading the HTML report.
Prompt 3
Show me how to set up Kubesplaining in a CI pipeline with a severity threshold using --ci-mode.
Prompt 4
Explain the difference between the rbac, podsec, network, and secrets modules Kubesplaining checks.

Frequently asked questions

What is kubesplaining?

A command line tool that maps out exactly how an attacker could chain misconfigurations in a Kubernetes cluster to reach full control, with evidence and fixes for each step.

What language is kubesplaining written in?

Mainly Go. The stack also includes Go, Kubernetes, Docker.

How hard is kubesplaining to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is kubesplaining for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.