Know what you expose.
Beacon maps your Kubernetes cluster's entire network attack surface in real-time. Every service, ingress, and NodePort — traced, scored, and visualised.
Features
Full attack surface visibility
- Real-time · < 2s detection
Exposure detected instantly,
scored by risk levelHIGH, MEDIUM, LOW — every new exposure flagged the moment it appears via Kubernetes Informers. No polling, no delay.
HIGHMEDIUMLOW Chain mapping
FQDN → Ingress
→ Service → PodEvery exposure path traced automatically. No blind spots.
api.prod.com
↓ Ingress/nginx
↓ Service/api-svc
↓ Pod/api-v2Zero-agent
Read-only RBAC
No sidecars, no DaemonSets. CPU < 50m, RAM < 100Mi. Pure API-centric architecture.
TLS enforcement
No silent HTTP
Ingress and IngressRoutes without TLS are automatically penalised in the risk score.
Webhooks
Instant alerts
Push to Slack, Teams, Discord, or any HTTP endpoint on critical detection.
CVE scoring
Port sensitivity
SSH, Redis, Postgres, etcd, MongoDB — flagged HIGH automatically. Configurable via YAML.
Dashboard
Your cluster, fully visible
A lightweight, real-time dashboard — see every exposed service, its risk score, and the full chain. Runs on port 8080.
3
HIGH risk
1
MEDIUM risk
2
LOW risk
| Service | Namespace | Type | Port | Risk |
|---|---|---|---|---|
| postgres-svc | production | NodePort | 5432 | HIGH |
| redis-cache | cache | LoadBalancer | 6379 | HIGH |
| metrics-svc | monitoring | NodePort | 9200 | HIGH |
| auth-service | auth | LoadBalancer | 8080 | MEDIUM |
| api-gateway | default | Ingress | 443 | LOW |
| frontend-app | web | IngressRoute | 443 | LOW |
Architecture
Lightweight by design.
Your cluster, your data.
Written in Go with k8s.io/client-go Informers. Read-only RBAC. No sidecar, no DaemonSet, no telemetry. MIT licensed.
KubeWatcher
Listens to the K8s API
Informers & Watchers on Services (NodePort/LoadBalancer), Ingress, and IngressRoutes (Traefik). Events arrive in < 2s.
AggregationEngine
Full chain resolution
Cross-references all objects to build the complete exposure chain: FQDN → Ingress → Service → Pod. Zero blind spots.
RiskScorer
Smart risk classification
Configurable YAML rules. Sensitive ports (SSH, Redis, Postgres, etcd…) flagged HIGH automatically. TLS absence raises score.
WebServer
Zero-dependency dashboard
HTMX-powered real-time dashboard on :8080. SQLite or in-memory store. Single Go binary, no Node.js, no frontend build step.
Up and running
in under five minutes
# 1 — Apply the manifest (RBAC + Deployment + Service)
kubectl apply -f https://raw.githubusercontent.com/you/beacon/main/deploy/beacon.yaml
# 2 — Forward the dashboard locally
kubectl port-forward svc/beacon 8080:8080 -n beaconDeploys in the 'beacon' namespace with a read-only ClusterRole.
Configure risk rules — no recompile needed
# Ports automatically flagged HIGH
ports:
- port: 5432 # PostgreSQL
risk: HIGH
- port: 6379 # Redis
risk: HIGH
- port: 9200 # Elasticsearch
risk: HIGH
# Default score by exposure type
exposure_defaults:
NodePort: MEDIUM
LoadBalancer: MEDIUM
Ingress: LOW
# TLS penalty — raises score one level
no_tls_penalty: trueFour steps
from deploy to dashboard
Deploy Beacon
Apply the single manifest with a read-only ServiceAccount. Beacon starts watching your cluster immediately.
Auto-discovery
Beacon connects to the K8s API and maps all Services, Ingress, IngressRoutes in real-time. No config needed.
Risk scoring
Every exposure is scored automatically — sensitive ports, missing TLS, CVE counts all factored in.
Monitor & alert
Open the dashboard at :8080. Get webhook alerts to Slack, Teams, or Discord on every critical detection.
Know what you expose,
before attackers do.
Open source, self-hosted, zero agents. Your cluster data never leaves your network.