Skip to content

getnullpkg/kubereach

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

kubereach

Post-foothold situational awareness for Kubernetes. Land a foothold, and kubereach tells you what you can reach: how far your token goes, the path to cluster-admin, and the way out into the cloud account behind the cluster.

License Status Go Platform


This project is shelved as of 2026-07-03. The design and research are done and two spikes passed, but the case for building the tool did not hold up: the category is already occupied by a similar tool, the flagship cloud-pivot demo is aging out as EKS defaults change, and the effort did not justify the payoff. Nothing is deleted. The full reasoning, the findings still worth keeping, and the conditions that would justify reviving it are in docs/project-status-shelved.md. The description below is the design as it stood; the tool was never built.

Status

Shelved. The design, risk analysis, and build plan are complete, and the two riskiest bets were proven as spikes, but no production engine was written and none is planned. See docs/project-status-shelved.md for why, what survives, and what would bring it back.

The problem

You land a foothold in a Kubernetes cluster: a pod shell, a stolen service-account token, or a kubeconfig. The next question is always the same and always slow to answer. What can this identity do? What can it reach? Can it become cluster-admin, read the secrets, break out to the node, or assume the cloud role behind the workload? Answering by hand means a dozen tools and a long list of kubectl commands, and it still misses paths, because from one foothold you only ever see a corner of the cluster.

What it does

One drop-in binary for that moment. kubereach enumerates from your real, limited perspective, scores what it finds, computes the escalation path to the crown jewels, and follows the trail out into the cloud. One run, one ranked report, ending in your best next move.

  • Enumerate from your foothold. Map what your token can actually do, the view an attacker has, not what a full cluster read would show.
  • Compute the escalation path. Walk identity and RBAC chains toward cluster-admin, secrets, the node, and the cloud account, and emit reproducible steps.
  • Pivot to the cloud. Follow workload identity out of the pod (AWS first: IRSA, EKS Pod Identity, node IMDS), confirm the credentials, and identify the role. GCP and Azure come later.
  • Score and explain. Three-tier output (confirmed, conditional, informational) with copy-paste commands and a single best next move.
  • Stay honest about coverage. kubereach reports how much of the cluster it could see, and never claims "no paths" when it only looked at a corner.

How it works

  • Deterministic core. RBAC is structured data and pathing is graph traversal, so the engine does real analysis. No model is bolted into the core; anything model-based lives at the edges, optional and off by default.
  • Every finding live-verified. Three-tier confidence, each finding gated by a live API call against your token, so the first run does not burn your trust on false positives.
  • Built to outlive API churn. Dynamic API discovery, never hardcoded paths. Hardcoded paths are the failure mode that retired the previous generation of these tools.
  • Single static binary. No runtime dependencies. Drops into a pod or runs against a token from your own machine.

Roadmap

  • Foothold loader and dynamic discovery layer
  • Enumeration engine and scoring
  • Attack-path engine with coverage honesty
  • AWS cloud-pivot module and first tagged release
  • GCP and Azure pivots

Building from source

Requires Go 1.26 or newer. Build and install instructions will be published with the first release.

Contributing

Issues and pull requests are welcome once the first release is out. See CONTRIBUTORS.md.

Security and responsible use

kubereach is for authorized testing on clusters you own or have written permission to assess. It reads metadata, not secret values, and reports its own audit footprint. See SECURITY.md for the full policy and how to report a vulnerability.

License

Apache-2.0.

About

Post-foothold situational awareness for Kubernetes: drop into a foothold, find out what you can reach.

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors