Kubernetes Goat

The Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

Refer to https://madhuakula.com/kubernetes-goat for the guide.

Upcoming Training's and Sessions

Black Hat USA 2021

"A Practical Approach to Breaking & Pwning Kubernetes Clusters" is a commercial training with completely hands-on approach by Madhu Akula at upcoming Black Hat USA 2021 to learn more about Kubernets Security.

SANS CloudSecNext Summit 2021

"Kubernetes Goat - Interactive Kubernetes Security Learning Playground" at upcoming SANS CloudSecNext Summit 2021 to learn more about Kubernets Goat.

Recent Kubernetes Goat Presentations

OWASP Bay Area Meetup

DEFCON Red Team Village

EkoParty 2020 - DevSecOps

🎲 Just click and Play in the browser for free using Katacoda Playground - Try now

https://katacoda.com/madhuakula/scenarios/kubernetes-goat

⚙️ Setting up Kubernetes Goat

Before we set up the Kubernetes Goat, ensure that you have created and have admin access to the Kubernetes cluster

kubectl version --short

Set up the helm version 2 in your path as helm2. Refer to helm releases for more information about setup

helm2 --help

Then finally setup Kubernetes Goat by running the following command

git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
bash setup-kubernetes-goat.sh

To export the ports/services locally to start learning, run the following command

bash access-kubernetes-goat.sh

Then navigate to http://127.0.0.1:1234

Kubernetes Goat - KIND setup

If you want to setup Kubernetes Goat using KIND, refer to kind-setup

🏁 Scenarios

Sensitive keys in code-bases
DIND (docker-in-docker) exploitation
SSRF in K8S world
Container escape to access host system
Docker CIS Benchmarks analysis
Kubernetes CIS Benchmarks analysis
Attacking private registry
NodePort exposed services
Helm v2 tiller to PwN the cluster
Analysing crypto miner container
Kubernetes Namespaces bypass
Gaining environment information
DoS the memory/CPU resources
Hacker Container preview
Hidden in layers

❤️ Showcase

Presented at OWASP Bay Area Meetup at https://youtu.be/DQllxpb46Yw
Presented at DEF CON RED Team Village https://youtu.be/aEaSZJRbnTo
Presented at OWASP San Diego at https://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/hmbbkrybckbvb/
Featured in the official Kubernetes Podcast at https://kubernetespodcast.com/episode/109-kubermatic
Featured in tl;dr sec https://tldrsec.com/blog/tldr-sec-039
Featured in CloudSecList https://cloudseclist.com/issues/issue-42
Presented at EkoParty 2020 DevSecOps https://youtu.be/XqwbVU-gtng
Presented at c0c0cn 2020 https://india.c0c0n.org/2020/speakers#madhu_akula
Featured in Info Ck YouTube channel https://youtu.be/5ojho4L6Xfo
Presented in Cloud Native Indonesia Meetup https://youtu.be/pf5jOGWoWU0

⚠️ Disclaimer

Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT deploy Kubernetes Goat in a production environment or alongside any sensitive cluster resources.

Kubernetes Goat comes with absolutely no warranties whatsoever. By using Kubernetes Goat, you take full responsibility for all outcomes that result.

✨ Contributors

Thanks goes to these wonderful people 🎉

madhuakula	macagr	rewanthtammana	NF997	smoyer64	wurstbrot
podjackel

About

Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

https://madhuakula.com/kubernetes-goat

MIT License

Languages

Language:HTML 94.9%Language:Shell 2.2%Language:Dockerfile 1.3%Language:JavaScript 0.4%Language:Go 0.4%Language:Python 0.3%Language:Mustache 0.3%Language:Smarty 0.1%