KUBESHADOW
Abstract
KubeShadow is a Go-based, modular red-team framework engineered to simulate end-to-end adversary kill-chains against Kubernetes (EKS, GKE, AKS and self-hosted) with precision and operational fidelity. It combines a powerful recon engine, graph-based chaining, and a plugin architecture that houses control-plane and workload exploitation modules (etcd injection, kubelet hijack, sidecar/init-container injection, RBAC escalation, ephemeral container attacks), multi-cloud identity pivoting, and flexible exfiltration adapters. Built-in lab manifests and safe execution flags enable reproducible PoCs and purple-team exercises, while the interactive dashboard and attack map correlate findings, link raw command outputs, and produce prioritized remediation guidance. KubeShadow is designed for authorized adversary emulation and defender validation - to measure real impact, harden controls, and close the gaps modern cloud-native deployments expose.