Ask HN: Would your team use a zero-mutation CLI to audit Kubernetes RBAC access?

We recently went through a SOC 2 audit and hit a wall when it came to Kubernetes RBAC. The auditor asked, “Can you show who had access to secrets across your cluster during this window?” We ended up: - Dumping RoleBindings and ClusterRoles with kubectl - Manually parsing YAML to figure out permissions - Taking screenshots of shell output It was brittle, slow, and painful.

So we built a tool: Permiflow — a CLI that scans your cluster's RBAC and generates clean, audit-ready reports without touching your cluster.

What it does: - Scans Roles, RoleBindings, ClusterRoles, ClusterRoleBindings - Flags risks: cluster-admin, wildcard verbs, secrets access, etc - Outputs: Markdown reports (easy to share with GRC/auditors), CSV + JSON (for automation) - Supports drift detection: diff two scans and see what changed - Can fail CI if risky access appears (--fail-on high) - Doesn’t use agents, CRDs, or mutate anything (read-only)

We’re not sure if this is: - A real pain other teams feel too - Or just us over-engineering an audit script

Would this be useful for your team? Would you expect it to integrate into CI, GitOps, or just be a one-off tool?