You've installed Kyverno. You've written RBAC policies. You've enabled Falco. Your security dashboard is green, your compliance team is happy, and your cluster feels locked down.
But here's the uncomfortable question: have you actually verified that any of it works?
Policy engines are misconfigured silently. Admission webhooks get deployed in Audit mode and never flipped to Enforce. Runtime rules get disabled to stop alert noise. And none of it shows up as a red light on your dashboard until an attacker finds it for you.
That's why I built ChaosClaw.
What Is ChaosClaw?
ChaosClaw is a Kubernetes security testing CLI that proves your controls work. It runs targeted, deterministic tests against a live cluster and produces structured JSON evidence for every result.
It covers four control domains:
Admission controls — are dangerous manifests being rejected?
RBAC policies — are access boundaries actually enforced?
Network segmentation — is traffic being blocked as expected?
Runtime detection — Are Falco/Tetragon/KubeArmor alerting on threat techniques?
Every test returns one of four results: PASS, FAIL, ERROR, or SKIPPED, and every run produces a structured evidence artifact you can store, diff, and audit.
Safety First: Namespace-Scoped by Design
Before anything else: ChaosClaw is built to run on a live cluster.
All execution is confined to a dedicated, RBAC-enforced test namespace. It cannot structurally touch any other namespace in the cluster. The design philosophy is that a security testing tool shouldn't be a security risk itself.
Try It
chaosclaw --help
The repo is at github.com/aahan-pat/chaosclaw, with full docs covering the architecture, the scenario library, the CLI reference, and a case study against a deliberately vulnerable cluster.
If your Kubernetes security controls haven't been verified against real attack scenarios, they're assumptions rather than guarantees. ChaosClaw is how you find out which ones are wrong.
Open Source & Contributing
ChaosClaw is fully open source and actively welcomes contributions. If you work in Kubernetes security, there are some particularly high-value areas to get involved:
New scenarios: have a control you want tested? The scenario format is straightforward and well-documented in docs/scenarios.md
New alert sources: runtime detection beyond Falco, Tetragon, and KubeArmor
Bug reports & feedback: especially from real cluster environments where things behave unexpectedly
Open an issue or PR at github.com/aahan-pat/chaosclaw. The project has open issues tagged and ready for first-time contributors.
Top comments (0)