Kubesplaining tries to answer this: Given the RBAC bindings and pods you already have, how would an attacker move from a low-privilege subject to cluster-admin, host root, or kube-system secrets?
It walks the RBAC graph from every non-system subject and chains risky permissions into concrete attack paths.
Heavily inspired by Cloudsplaining, which does the same job for AWS IAM.