The Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
Refer to https://madhuakula.com/kubernetes-goat for the guide.
Show us some
Please feel free to send us a PR and show some
Upcoming Training's and Sessions
DEFCON DEMO Labs
Cloud Village - DEFCON
Recent Kubernetes Goat Presentations
OWASP Bay Area Meetup
DEFCON Red Team Village
Just click and Play in the browser for free using Katacoda Playground - Try now
https://katacoda.com/madhuakula/scenarios/kubernetes-goat
Setting up Kubernetes Goat
- Before we set up the Kubernetes Goat, ensure that you have created and have admin access to the Kubernetes cluster
- Set up the helm version 2 in your path as
helm2
. Refer to helm releases for more information about setup
- Then finally setup Kubernetes Goat by running the following command
git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
bash setup-kubernetes-goat.sh
- To export the ports/services locally to start learning, run the following command
bash access-kubernetes-goat.sh
- Then navigate to http://127.0.0.1:1234
Kubernetes Goat - KIND setup
- If you want to setup Kubernetes Goat using KIND, refer to kind-setup
Scenarios
- Sensitive keys in code-bases
- DIND (docker-in-docker) exploitation
- SSRF in K8S world
- Container escape to access host system
- Docker CIS Benchmarks analysis
- Kubernetes CIS Benchmarks analysis
- Attacking private registry
- NodePort exposed services
- Helm v2 tiller to PwN the cluster
- Analysing crypto miner container
- Kubernetes Namespaces bypass
- Gaining environment information
- DoS the memory/CPU resources
- Hacker Container preview
- Hidden in layers
- RBAC Least Privileges Misconfiguration
- KubeAudit - Audit Kubernetes Clusters
- Sysdig Falco - Runtime Security Monitoring & Detection
- Popeye - A Kubernetes Cluster Sanitizer
- Secure network boundaries using NSP
Showcase
- Presented at OWASP Bay Area Meetup at https://youtu.be/DQllxpb46Yw
- Presented at DEF CON RED Team Village https://youtu.be/aEaSZJRbnTo
- Presented at OWASP San Diego at https://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/hmbbkrybckbvb/
- Featured in the official Kubernetes Podcast at https://kubernetespodcast.com/episode/109-kubermatic
- Featured in tl;dr sec https://tldrsec.com/blog/tldr-sec-039
- Featured in CloudSecList https://cloudseclist.com/issues/issue-42
- Presented at EkoParty 2020 DevSecOps https://youtu.be/XqwbVU-gtng
- Presented at c0c0cn 2020 https://india.c0c0n.org/2020/speakers#madhu_akula
- Featured in Info Ck YouTube channel https://youtu.be/5ojho4L6Xfo
- Presented in Cloud Native Indonesia Meetup https://youtu.be/pf5jOGWoWU0
- Presented in USENIX LISA 2021 Closing Note
- Presented in SANS CloudSecNext Summit 2021
Disclaimer
Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT deploy Kubernetes Goat in a production environment or alongside any sensitive cluster resources.
Kubernetes Goat comes with absolutely no warranties whatsoever. By using Kubernetes Goat, you take full responsibility for all outcomes that result.