Open source · DevSecOps · MIT

Know what you expose.

Beacon maps your Kubernetes cluster's entire network attack surface in real-time. Every service, ingress, and NodePort — traced, scored, and visualised.

Features

Full attack surface visibility

  • Real-time · < 2s detection

    Exposure detected instantly,
    scored by risk level

    HIGH, MEDIUM, LOW — every new exposure flagged the moment it appears via Kubernetes Informers. No polling, no delay.

    HIGH
    MEDIUM
    LOW
  • Chain mapping

    FQDN → Ingress
    → Service → Pod

    Every exposure path traced automatically. No blind spots.

    api.prod.com
    ↓ Ingress/nginx
    ↓ Service/api-svc
    Pod/api-v2
  • Zero-agent

    Read-only RBAC

    No sidecars, no DaemonSets. CPU < 50m, RAM < 100Mi. Pure API-centric architecture.

  • TLS enforcement

    No silent HTTP

    Ingress and IngressRoutes without TLS are automatically penalised in the risk score.

  • Webhooks

    Instant alerts

    Push to Slack, Teams, Discord, or any HTTP endpoint on critical detection.

  • CVE scoring

    Port sensitivity

    SSH, Redis, Postgres, etcd, MongoDB — flagged HIGH automatically. Configurable via YAML.

Dashboard

Your cluster, fully visible

A lightweight, real-time dashboard — see every exposed service, its risk score, and the full chain. Runs on port 8080.

BeaconLive
cluster: production

3

HIGH risk

1

MEDIUM risk

2

LOW risk

ServiceNamespaceTypePortRisk
postgres-svcproductionNodePort5432HIGH
redis-cachecacheLoadBalancer6379HIGH
metrics-svcmonitoringNodePort9200HIGH
auth-serviceauthLoadBalancer8080MEDIUM
api-gatewaydefaultIngress443LOW
frontend-appwebIngressRoute443LOW

Architecture

Lightweight by design.
Your cluster, your data.

Written in Go with k8s.io/client-go Informers. Read-only RBAC. No sidecar, no DaemonSet, no telemetry. MIT licensed.

  • KubeWatcher

    Listens to the K8s API

    Informers & Watchers on Services (NodePort/LoadBalancer), Ingress, and IngressRoutes (Traefik). Events arrive in < 2s.

  • AggregationEngine

    Full chain resolution

    Cross-references all objects to build the complete exposure chain: FQDN → Ingress → Service → Pod. Zero blind spots.

  • RiskScorer

    Smart risk classification

    Configurable YAML rules. Sensitive ports (SSH, Redis, Postgres, etcd…) flagged HIGH automatically. TLS absence raises score.

  • WebServer

    Zero-dependency dashboard

    HTMX-powered real-time dashboard on :8080. SQLite or in-memory store. Single Go binary, no Node.js, no frontend build step.

Gok8s.io/client-goSQLiteHTMXTailwindCSSKubernetesHelmk3d
Install

Up and running
in under five minutes

kubectl
# 1 — Apply the manifest (RBAC + Deployment + Service)
kubectl apply -f https://raw.githubusercontent.com/you/beacon/main/deploy/beacon.yaml

# 2 — Forward the dashboard locally
kubectl port-forward svc/beacon 8080:8080 -n beacon

Deploys in the 'beacon' namespace with a read-only ClusterRole.

Configure risk rules — no recompile needed

scoring.yaml
# Ports automatically flagged HIGH
ports:
  - port: 5432  # PostgreSQL
    risk: HIGH
  - port: 6379  # Redis
    risk: HIGH
  - port: 9200  # Elasticsearch
    risk: HIGH

# Default score by exposure type
exposure_defaults:
  NodePort:     MEDIUM
  LoadBalancer: MEDIUM
  Ingress:      LOW

# TLS penalty — raises score one level
no_tls_penalty: true
How it works

Four steps
from deploy to dashboard

101

Deploy Beacon

Apply the single manifest with a read-only ServiceAccount. Beacon starts watching your cluster immediately.

202

Auto-discovery

Beacon connects to the K8s API and maps all Services, Ingress, IngressRoutes in real-time. No config needed.

303

Risk scoring

Every exposure is scored automatically — sensitive ports, missing TLS, CVE counts all factored in.

404

Monitor & alert

Open the dashboard at :8080. Get webhook alerts to Slack, Teams, or Discord on every critical detection.

Know what you expose,
before attackers do.

Open source, self-hosted, zero agents. Your cluster data never leaves your network.