K8sAttackMap
Features

Choke Point Analysis

Identify the nodes whose hardening eliminates the most attack paths in your cluster.

What is a Choke Point?

A choke point is a node in the attack graph that, if hardened or removed, would sever the maximum number of attack paths simultaneously. Think of it as the highest-leverage remediation target: fixing one choke point can eliminate dozens of paths at once.

K8sAttackMap identifies the top-5 choke points in your cluster, ranked by:

  1. Path count — how many attack paths pass through this node
  2. Weighted impact — path count × average path risk score

Ranking Algorithm

For each node that appears in any attack path:

  1. Count the number of distinct source→target paths that traverse it
  2. Compute a weighted score: pathCount × averageRiskWeight
  3. Sort descending by weighted score
  4. Return the top-5

Nodes that appear at the junction of many high-risk paths rank highest — typically service accounts with broad ClusterRole bindings, or pods running with privileged security contexts.

Console Output

Choke Points (Top 5):
  1. ServiceAccount:default:ci-runner  |  paths severed: 7  |  score: 14.2
     kubectl delete clusterrolebinding ci-runner-admin
  2. Pod:monitoring:prometheus          |  paths severed: 4  |  score: 8.6
     kubectl patch pod prometheus ... (restrict RBAC)
  3. Secret:kube-system:bootstrap-token |  paths severed: 3  |  score: 6.1
  ...

HTML Visualisation

In the HTML attack map, choke points are visually distinguished:

  • Grey node colour with a thicker border
  • Tooltip shows path count and impact score
  • Clicking a choke point highlights all paths that traverse it

Remediation Plans

Each choke point comes with a tailored remediation plan generated by ChokePointRemediationAdvisor. The plan includes:

  • Audit commandskubectl commands to inspect the current state
  • Enforcement commandskubectl commands to apply the fix
  • Explanation — why this node is dangerous and what the fix achieves

Example remediation for a service account with a wildcard ClusterRoleBinding:

# Audit: list all cluster role bindings for this service account
kubectl get clusterrolebindings -o json | \
  jq '.items[] | select(.subjects[]?.name=="ci-runner")'

# Fix: remove the overly broad binding
kubectl delete clusterrolebinding ci-runner-cluster-admin

# Enforce least-privilege: create a scoped role instead
kubectl create role ci-runner-limited \
  --verb=get,list --resource=pods \
  -n default
kubectl create rolebinding ci-runner-limited \
  --role=ci-runner-limited \
  --serviceaccount=default:ci-runner \
  -n default

Implementation Details

  • analysis/chokepoint/ChokePointIdentifier.java — ranks nodes by path coverage
  • analysis/chokepoint/ChokePointRemediationAdvisor.java — generates kubectl remediation commands
  • analysis/chokepoint/RankedChokePoint.java — value object with node, path count, and score

Attack Path Discovery

How K8sAttackMap finds the shortest and all possible attack routes through your cluster.

Blast Radius Analysis

BFS-based analysis of how far an attacker can propagate from any compromised entry point.

On this page

What is a Choke Point?Ranking AlgorithmConsole OutputHTML VisualisationRemediation PlansImplementation Details