Skip to content

Kubernetes Goat 🐐 is a "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security πŸ”

License

Notifications You must be signed in to change notification settings

antonioni-angioletti/kubernetes-goat

Β 
Β 

Repository files navigation

Kubernetes Goat

Kubernetes Goat

✨ The Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

πŸ™Œ Refer to https://madhuakula.com/kubernetes-goat for the guide πŸ“–

Netlify Status License: MIT GitHub release Github Stars PRs Welcome Docker Pulls Kubernetes Goat Twitter

Kubernetes Goat Home

Recent Kubernetes Goat Presentations

OWASP Bay Area Meetup

Introducing Kubernetes Goat - OWASP Bay Area Meetup

DEFCON Red Team Village

Kubernetes Goat - DEFCON Red Team Village

🎲 Just click and Play in the browser for free using Katacoda Playground - Try now

Katacoda Playground Kubernetes Goat

https://katacoda.com/madhuakula/scenarios/kubernetes-goat

βš™οΈ Setting up Kubernetes Goat

  • Before we set up the Kubernetes Goat, ensure that you have created and have admin access to the Kubernetes cluster
kubectl version --short
  • Set up the helm version 3 in your path as helm. Refer to helm releases for more information about setup
helm version --short
  • Then finally setup Kubernetes Goat by running the following command
git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
bash setup-kubernetes-goat.sh
  • To export the ports/services locally to start learning, run the following command
bash access-kubernetes-goat.sh

Kubernetes Goat - KIND setup

  • If you want to setup Kubernetes Goat using KIND, refer to kind-setup

🏁 Scenarios

  1. Sensitive keys in code-bases
  2. DIND (docker-in-docker) exploitation
  3. SSRF in K8S world
  4. Container escape to access host system
  5. Docker CIS Benchmarks analysis
  6. Kubernetes CIS Benchmarks analysis
  7. Attacking private registry
  8. NodePort exposed services
  9. Helm v2 tiller to PwN the cluster - [Deprecated]
  10. Analysing crypto miner container
  11. Kubernetes Namespaces bypass
  12. Gaining environment information
  13. DoS the memory/CPU resources
  14. Hacker Container preview
  15. Hidden in layers
  16. RBAC Least Privileges Misconfiguration
  17. KubeAudit - Audit Kubernetes Clusters
  18. Sysdig Falco - Runtime Security Monitoring & Detection
  19. Popeye - A Kubernetes Cluster Sanitizer
  20. Secure network boundaries using NSP

❀️ Showcase

⚠️ Disclaimer

Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT deploy Kubernetes Goat in a production environment or alongside any sensitive cluster resources.

Kubernetes Goat comes with absolutely no warranties whatsoever. By using Kubernetes Goat, you take full responsibility for all outcomes that result.

Show us some ❀️

Please feel free to send us a PR and show some ❀️

I use this project

License

MIT

✨ Acknowledgements

Thanks goes to these wonderful people πŸŽ‰

madhuakula
madhuakula
mkcn
mkcn
macagr
macagr
rewanthtammana
rewanthtammana
avicoder
avicoder
NF997
NF997
smoyer64
smoyer64
wurstbrot
wurstbrot
podjackel
podjackel
ant4g0nist
ant4g0nist

About

Kubernetes Goat 🐐 is a "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security πŸ”

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HTML 95.6%
  • Shell 1.9%
  • Dockerfile 1.2%
  • JavaScript 0.3%
  • Go 0.3%
  • Mustache 0.3%
  • Other 0.4%