K8sAttackMap
Usage

CLI Reference

Full reference for all K8sAttackMap command-line options and flags.

Synopsis

k8sattackmap [OPTIONS]

Options

Core Options

FlagShortTypeDefaultDescription
--k8s-json-kPATH(kubectl)Path to Kubernetes cluster state JSON file. When omitted, K8sAttackMap captures the cluster live via kubectl.
--source-node-sIDS(auto-discover)Comma-separated source node IDs. Format: <Type>:<namespace>:<name>.
--target-node-tIDS(auto-discover)Comma-separated target node IDs. Same format as source.
--output-oFORMATS(none)Comma-separated export formats: html, pdf.
--max-hops-mN3Blast radius hop depth. Higher values find more impacted assets at the cost of analysis time.
--show-all-paths-aflagfalseShow all discovered paths grouped by source→target pair. By default only the single highest-risk path is displayed.

Utility Options

FlagShortDescription
--help-hPrint help message and exit.
--version-vPrint version and exit.
--verboseEnable verbose/debug logging via Logback.
--no-colorDisable ANSI colour output. Also auto-enabled when the NO_COLOR environment variable is set.

Node ID Format

All node identifiers use the format <Type>:<namespace>:<name>.

Pod:default:web-app
ServiceAccount:kube-system:coredns
Secret:production:stripe-api-key
Deployment:default:frontend
ClusterRole:cluster-scoped:cluster-admin
ClusterRoleBinding:cluster-scoped:admin-binding
Node:cluster-scoped:worker-node-1

Cluster-scoped resourcesClusterRole, ClusterRoleBinding, Node, PersistentVolume, and other non-namespaced resources use cluster-scoped as the namespace segment.

Auto-Discovery

When --source-node and --target-node are both omitted, K8sAttackMap runs an automatic heuristic to classify entry points and crown jewels:

Auto-detected sources (entry points):

  • Pod resources (directly reachable workloads)
  • User and Group subjects from RoleBinding / ClusterRoleBinding
  • ServiceAccount resources with external-facing bindings

Auto-detected targets (crown jewels):

  • Secret resources
  • Role and ClusterRole resources
  • ConfigMap resources flagged as sensitive (containing token-like keys)

If auto-discovery finds no candidates (empty or minimal cluster), use explicit --source-node and --target-node.

Environment Variables

VariableEffect
NO_COLORWhen set to any non-empty value, disables ANSI colour output (same as --no-color).

Exit Codes

CodeMeaning
0Success
1Fatal error (parse failure, no candidates found, I/O error)

Printed Help Output

K8sAttackMap [OPTIONS]

Options:
  -h, --help                   Print this message
  -v, --version                Print version
  -k, --k8s-json <PATH>        Path to Kubernetes cluster state JSON file
  -s, --source-node <IDS>      Comma-separated source node IDs
                               Format: <Type>:<namespace>:<name>
                               Example: Pod:default:web-app
  -t, --target-node <IDS>      Comma-separated target node IDs
                               Format: <Type>:<namespace>:<name>
                               Example: Secret:default:db-credentials
  -o, --output <FORMATS>       Comma-separated output formats: html, pdf
  -m, --max-hops <N>           Blast radius hop depth (default: 3)
  -a, --show-all-paths         Show all discovered paths grouped by
                               source-target pair, not just the worst path
      --no-color               Disable colored output (respects NO_COLOR env var)
      --verbose                Enable verbose/debug logging

Quick Start

Run K8sAttackMap against a live cluster or saved snapshot in under two minutes.

Examples

Real-world K8sAttackMap command examples for common security analysis scenarios.

On this page

SynopsisOptionsCore OptionsUtility OptionsNode ID FormatAuto-DiscoveryEnvironment VariablesExit CodesPrinted Help Output