https://github.com/madhuakula/kubernetes-goat

Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀
https://github.com/madhuakula/kubernetes-goat

blueteam cloud-native cloud-security cloudsecurity container container-security devsecops docker hacking infrastructure k8s kubernetes kubernetes-goat kubernetes-security owasp pentesting redteam security vulnerable-app

Last synced: 2 days ago
JSON representation

Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀

• Host: GitHub
• URL: https://github.com/madhuakula/kubernetes-goat
• Owner: madhuakula
• License: mit
• Created: 2020-06-04T17:11:48.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2024-10-28T15:13:01.000Z (about 1 month ago)
• Last Synced: 2024-10-29T15:19:10.620Z (about 1 month ago)
• Topics: blueteam, cloud-native, cloud-security, cloudsecurity, container, container-security, devsecops, docker, hacking, infrastructure, k8s, kubernetes, kubernetes-goat, kubernetes-security, owasp, pentesting, redteam, security, vulnerable-app
• Language: HTML
• Homepage: https://madhuakula.com/kubernetes-goat
• Size: 124 MB
• Stars: 4,334
• Watchers: 56
• Forks: 706
• Open Issues: 18
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

• awesome-DevOpsSec - KubernetesGoat
• awesome-devsecops - Kubernetes Goat - _Madhu Akula_ - Intentionally vulnerable cluster environment to learn and practice Kubernetes security. (Tools / Intentionally Vulnerable Applications)
• awesome-pentest-cheat-sheets - Kubernetes Goat - Vulnerable-by-Design cluster environment for training (☁️ Cloud Pentesting / Kubernetes)
• awesome-repositories - madhuakula/kubernetes-goat - Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀 (HTML)
• Awesome-CloudSec-Labs - Kubernetes Goat - hosted, multi-cloud, K3S| [Madhu Akula](https://twitter.com/madhuakula) | Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack, has a guided workbook | (Sorted by Technology and Category)
• awesome-vulnerable-apps - Kubernetes Goat - Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security. (Cloud Security)
• awesome-cybersecurity-practice - https://github.com/madhuakula/kubernetes-goat
• awesome-kubernetes-threat-detection - kubernetes-goat
• awesome-k8s-security - Kubernetes Goat
• awesome-cloud-security - 地址 - goat) `由「UzJu」师傅补充，感谢支持` (0x03 靶场 :dart: / 云原生靶场)
• awesome-hacking-lists - madhuakula/kubernetes-goat - Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀 (HTML)

README

        


  

    

  





  Kubernetes Goat





    ✨ The Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security 🚀





    🙌 Refer to https://madhuakula.com/kubernetes-goat for the guide 📖





    

        

        

    

        

        

    

        

        

    

        

        

    

        

        

    

        

        

    

        

    

    

        

    



[![Kubernetes Goat Home](./kubernetes-goat-home.png)](https://madhuakula.com/kubernetes-goat)

## 🧰 Setting up Kubernetes Goat

* Ensure you have admin access to the Kubernetes cluster and installed `kubectl`. Refer to the [docs for installation](https://kubernetes.io/docs/tasks/tools/install-kubectl/)

* Ensure you have the `helm` package manager installed. Refer to the [docs for installation](https://helm.sh/docs/intro/install)

* To set up the Kubernetes Goat resources in your cluster, run the following commands:

```bash

git clone https://github.com/madhuakula/kubernetes-goat.git

cd kubernetes-goat

chmod +x setup-kubernetes-goat.sh

bash setup-kubernetes-goat.sh

```

* Ensure the pods are running before running the access script

```bash

kubectl get pods

```

![all pods running in kubectl get pods](guide/docs/scenarios/images/kubectl-get-pods.png)

* Access Kubernetes Goat by exposing the resources to the local system (port-forward) by the following command:

```bash

bash access-kubernetes-goat.sh

```

* Then navigate to [`http://127.0.0.1:1234`](http://127.0.0.1:1234)

> Refer to [https://madhuakula.com/kubernetes-goat/docs/how-to-run](https://madhuakula.com/kubernetes-goat/docs/how-to-run) for setting up Kubernetes Goat in various environments like GKE, EKS, AKS, K3S, KIND, etc.

## 🏆 Scenarios

1. Sensitive keys in codebases

2. DIND (docker-in-docker) exploitation

3. SSRF in the Kubernetes (K8S) world

4. Container escape to the host system

5. Docker CIS benchmarks analysis

6. Kubernetes CIS benchmarks analysis

7. Attacking private registry

8. NodePort exposed services

9. Helm v2 tiller to PwN the cluster - [Deprecated]

10. Analyzing crypto miner container

11. Kubernetes namespaces bypass

12. Gaining environment information

13. DoS the Memory/CPU resources

14. Hacker container preview

15. Hidden in layers

16. RBAC least privileges misconfiguration

17. KubeAudit - Audit Kubernetes clusters

18. Falco - Runtime security monitoring & detection

19. Popeye - A Kubernetes cluster sanitizer

20. Secure network boundaries using NSP

21. Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement

22. Securing Kubernetes Clusters using Kyverno Policy Engine

## 📖 Documentation Guide

Here is the detailed step by step guide for learning and using Kubernetes Goat 🎉: [documentation guide](https://madhuakula.com/kubernetes-goat)

[![Kubernetes Goat Documentation Guide](kubernetes-goat-docs.png)](https://madhuakula.com/kubernetes-goat)

**Reference: [https://madhuakula.com/kubernetes-goat](https://madhuakula.com/kubernetes-goat)**

## ⚠️ Disclaimer

> Kubernetes Goat has intentionally created vulnerabilities, applications, and configurations to attack and gain access to your cluster and workloads. Please **DO NOT** run this alongside your production environments and infrastructure. We highly recommend running this in a safe and isolated (contained) environment.

> Kubernetes Goat is used for educational purposes only. Do not test or apply these attacks on any systems without permission. Kubernetes Goat comes with absolutely no warranties, by using it you take full responsibility for all outcomes.

## 📝 License

[MIT](https://github.com/madhuakula/kubernetes-goat/blob/master/LICENSE)

## ✨ Acknowledgements

Thanks to to these wonderful people: 🎉

    

        
madhuakula

        
phpsystems

        
adamhurm

        
malwareowl

        
za

        
0xCardinal

    

    

        
dependabot[bot]

        

        
davi-cruz

        
mkcn

        
rewanthtammana

        

        
nayanballa08

        
gvoden

    

    

        
avicoder

        
macagr

        
commjoen

        
ravenium

        
podjackel

        
hexachordanu

    

    

        
bzd111

        
William-LP

        
wurstbrot

        
suneshgovind

        
SumoSumir

        
smoyer64

    

    

        
pichuang

        
nmiekley

        
NF997

        
Like0x

        
AmeerAssadi

        
apvarun

    

    

        
ant4g0nist