There are many Kubernetes security scanners out there, and most give you results that say "this resource is misconfigured."
Kubesplaining tries to answer this: Given the RBAC bindings and pods you already have, how would an attacker move from a low-privilege subject to cluster-admin, host root, or kube-system secrets?
It walks the RBAC graph from every non-system subject and chains risky permissions into concrete attack paths.
Heavily inspired by Cloudsplaining, which does the same job for AWS IAM.