Kubernetes Goat is an intentionally vulnerable Kubernetes cluster environment with multiple scenarios that can be used to learn and practice Kubernetes security. It’s released under MIT on GitHub by Madhu Akula.
It has over 10 different scenarios covering weaknesses ranging from container escapes to SSRF exploitation to gain access to files. All of the scenarios are driven by misconfigurations and do not cover any issues arising from the usage of old and vulnerable software.
Kubernetes Goat can be installed on any K8S cluster, standalone or cloud managed. Basic requirements include
Note: As Kubernetes Goat is an intentionally vulnerable tool, it is highly recommended to set up a new cluster to try this out. If the cluster is set up on unmanaged nodes on AWS, Google Cloud or Azure, make sure the nodes are set up in isolated accounts, projects or resource groups respectively. Additionally, do not expose the cluster to the Internet or assign privileged credentials/service accounts.
Confirm you have access to the cluster via kubectl. You can run the following command to confirm access
kubectl versionClone the Kubernetes Goat repository and run the setup script provided in the repo. The following commands perform these actions
git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
bash setup-kubernetes-goat.shEnsure the pods created using the script are up and running in the cluster. At least 1 pod of each scenario should be running as there may be pods that are undergoing restarts or may have other statuses
kubectl get pods
Once it is confirmed that the pods are in running state, run the following command to set up acces to the scenarios through multiple kubectl proxy connections
bash access-kubernetes-goat.shThen navigate to http://127.0.0.1:1234 to access the dashboard from which you can access the different scenarios in the playground.
![kubernetes goat dashboard](https://imgs.kloudle.com/academy-images/kubernetes-goat-dashboard.png")