Kubernetes Goat

The Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

Refer to https://madhuakula.com/kubernetes-goat for the guide.

Recent Kubernetes Goat Presentations

OWASP Bay Area Meetup

DEFCON Red Team Village

EkoParty 2020 - DevSecOps

🎲 Just click and Play in the browser for free using Katacoda Playground - Try now

https://katacoda.com/madhuakula/scenarios/kubernetes-goat

⚙️ Setting up Kubernetes Goat

• Before we set up the Kubernetes Goat, ensure that you have created and have admin access to the Kubernetes cluster

kubectl version --short

• Set up the helm version 2 in your path as helm2. Refer to helm releases for more information about setup

helm2 --help

• Then finally setup Kubernetes Goat by running the following command

git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
bash setup-kubernetes-goat.sh

• To export the ports/services locally to start learning, run the following command

bash access-kubernetes-goat.sh

• Then navigate to http://127.0.0.1:1234

Kubernetes Goat - KIND setup

• If you want to setup Kuberntes Goat using KIND, refer to kind-setup

🏁 Scenarios

1. Sensitive keys in codebases
2. DIND (docker-in-docker) exploitation
3. SSRF in K8S world
4. Container escape to access host system
5. Docker CIS Benchmarks analysis
6. Kubernetes CIS Benchmarks analysis
7. Attacking private registry
8. NodePort exposed services
9. Helm v2 tiller to PwN the cluster
10. Analysing crypto miner container
11. Kubernetes Namespaces bypass
12. Gaining environment information
13. DoS the memory/CPU resources
14. Hacker Container preview

❤️ Showcase

• Presented at OWASP Bay Area Meetup at https://youtu.be/DQllxpb46Yw
• Presented at DEF CON RED Team Vilalge https://youtu.be/aEaSZJRbnTo
• Presented at OWASP San Diego at https://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/hmbbkrybckbvb/
• Featured in the official Kubernetes Podcast at https://kubernetespodcast.com/episode/109-kubermatic
• Featured in tl;dr sec https://tldrsec.com/blog/tldr-sec-039
• Featured in CloudSecList https://cloudseclist.com/issues/issue-42
• Presented at EkoParty 2020 DevSecOps https://youtu.be/XqwbVU-gtng
• Presented at c0c0cn 2020 https://india.c0c0n.org/2020/speakers#madhu_akula
• Featured in Info Ck YouTube channel https://youtu.be/5ojho4L6Xfo
• Presented in Cloud Native Indonesia Meetup https://youtu.be/pf5jOGWoWU0

⚠️ Disclaimer

Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT deploy Kubernetes Goat in a production environment or alongside any sensitive cluster resources.

Kubernetes Goat comes with absolutely no warranties whatsoever. By using Kubernetes Goat, you take full responsibility for all outcomes that result.

✨ Contributors

Thanks goes to these wonderful people 🎉

madhuakula

macagr

NF997

wurstbrot

podjackel