Introduction
Kubernetes Goat is an intentionally vulnerable Kubernetes cluster environment with multiple scenarios that can be used to learn and practice Kubernetes security. It’s released under MIT on GitHub by Madhu Akula.
It has over 10 different scenarios covering weaknesses ranging from container escapes to SSRF exploitation to gain access to files. All of the scenarios are driven by misconfigurations and do not cover any issues arising from the usage of old and vulnerable software.
Pre-requisites?
Kubernetes Goat can be installed on any K8S cluster, standalone or cloud managed. Basic requirements include
- A functional Kubernetes cluster to which you have administrative RBAC/object creation access
- Kubectl to manage the installation and troubleshooting when required
- Linux host as the deployment scripts are bash scripts
- Helm package manager, which can be installed by following the documentation
Note: As Kubernetes Goat is an intentionally vulnerable tool, it is highly recommended to set up a new cluster to try this out. If the cluster is set up on unmanaged nodes on AWS, Google Cloud or Azure, make sure the nodes are set up in isolated accounts, projects or resource groups respectively. Additionally, do not expose the cluster to the Internet or assign privileged credentials/service accounts.
Steps to install
-
Confirm you have access to the cluster via kubectl. You can run the following command to confirm access
kubectl version -
Clone the Kubernetes Goat repository and run the setup script provided in the repo. The following commands perform these actions
git clone https://github.com/madhuakula/kubernetes-goat.git cd kubernetes-goat bash setup-kubernetes-goat.sh -
Ensure the pods created using the script are up and running in the cluster. At least 1 pod of each scenario should be running as there may be pods that are undergoing restarts or may have other statuses
kubectl get pods
-
Once it is confirmed that the pods are in running state, run the following command to set up acces to the scenarios through multiple kubectl proxy connections
bash access-kubernetes-goat.sh -
Then navigate to http://127.0.0.1:1234 to access the dashboard from which you can access the different scenarios in the playground.
![kubernetes goat dashboard](https://imgs.kloudle.com/academy-images/kubernetes-goat-dashboard.png")
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.
Riyaz Walikar
Founder & Chief of R&D
Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.