Whoami

whoami

whoami is the first command to run in any HarrierOps Kube session.

It confirms which cluster, context, namespace, identity, and foothold shape the tool is actually using before you trust anything else.

What This Command Answers

• Which cluster and API server am I talking to?
• Which context and namespace are active?
• What identity does this session appear to be using?
• Is that identity direct, inferred, or visibility-blocked?
• Does the auth path or execution origin look surprising?

Run It

harrierops-kube whoami --output table

If you want a saved structured artifact:

harrierops-kube whoami --output json --outdir ./harrierops-kube-demo

Example Table Output

cluster	api server	context	namespace	identity	confidence	foothold	auth material
lab-cluster	https://10.0.0.1:6443	lab-cluster	default	fox-operator	direct	cloud-bridged	exec-plugin

When To Use It

• at the start of every new session
• after switching contexts or namespaces
• after inheriting a shell, token, or kubeconfig
• any time later output feels thinner or broader than expected

What To Look For

• cluster, API server, context, and namespace
• the best-known current identity and its confidence
• auth material such as exec-plugin, token, or service-account clues
• whether the session looks outside-cluster or workload-originated
• environment hints that change how the cluster should be read

Why It Matters

Most bad Kubernetes analysis starts with a bad starting assumption.

If you are pointed at the wrong cluster, the wrong namespace, or the wrong auth path, every later table can still be accurate while leading you to the wrong conclusion. whoami gives you a fast truth check before you build the rest of the investigation on it.

What Should Stand Out First

• the current cluster and API server
• the active context and namespace
• the best-known identity and confidence
• auth material or execution-origin clues that change the attack story

If You See..., Go Next To...

• If you see a service-account-shaped foothold, go next to Service Accounts because the next question is which workload identity path this session belongs to.
• If you see a broad or surprising current session, go next to Permissions because the next question is what this foothold can actually do.
• If the session is clear but the cluster is not, go next to Inventory because the next question is what kind of environment you actually landed in.

What To Do Next

• Fix the context first if whoami shows the wrong cluster or namespace.
• Move to Inventory once the foothold looks right.
• Move quickly into Service Accounts or Permissions when the starting identity already looks meaningful.

Boundary

whoami is a grounding command.

It should confirm the current operating context honestly. It is not a full privilege review, a raw token dump, or a substitute for later workload and access analysis.