The Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
Refer to https://madhuakula.com/kubernetes-goat for the guide.
Show us some
Please feel free to send us a PR and show some
DEFCON DEMO Labs
Cloud Village – DEFCON
Recent Kubernetes Goat Presentations
OWASP Bay Area Meetup
DEFCON Red Team Village
- Before we set up the Kubernetes Goat, ensure that you have created and have admin access to the Kubernetes cluster
kubectl version --short
- Set up the helm version 2 in your path as
helm2. Refer to helm releases for more information about setup
- Then finally setup Kubernetes Goat by running the following command
git clone https://github.com/madhuakula/kubernetes-goat.git
- To export the ports/services locally to start learning, run the following command
Kubernetes Goat – KIND setup
- If you want to setup Kubernetes Goat using KIND, refer to kind-setup
- Sensitive keys in code-bases
- DIND (docker-in-docker) exploitation
- SSRF in K8S world
- Container escape to access host system
- Docker CIS Benchmarks analysis
- Kubernetes CIS Benchmarks analysis
- Attacking private registry
- NodePort exposed services
- Helm v2 tiller to PwN the cluster
- Analysing crypto miner container
- Kubernetes Namespaces bypass
- Gaining environment information
- DoS the memory/CPU resources
- Hacker Container preview
- Hidden in layers
- RBAC Least Privileges Misconfiguration
- KubeAudit – Audit Kubernetes Clusters
- Sysdig Falco – Runtime Security Monitoring & Detection
- Popeye – A Kubernetes Cluster Sanitizer
- Secure network boundaries using NSP
Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT deploy Kubernetes Goat in a production environment or alongside any sensitive cluster resources.
Kubernetes Goat comes with absolutely no warranties whatsoever. By using Kubernetes Goat, you take full responsibility for all outcomes that result.
Source : KitPloit – PenTest Tools!