Kubernetes Goat is an intentionally vulnerable Kubernetes cluster environment with multiple scenarios that can be used to learn and practice Kubernetes security. It’s released under MIT on GitHub by Madhu Akula.
It has over 10 different scenarios covering weaknesses ranging from container escapes to SSRF exploitation to gain access to files. All of the scenarios are driven by misconfigurations and do not cover any issues arising from the usage of old and vulnerable software.
Kubernetes Goat can be installed on any K8S cluster, standalone or cloud managed. Basic requirements include
- A functional Kubernetes cluster to which you have administrative RBAC/object creation access
- Kubectl to manage the installation and troubleshooting when required
- Linux host as the deployment scripts are bash scripts
- Helm package manager, which can be installed by following the documentation
Note: As Kubernetes Goat is an intentionally vulnerable tool, it is highly recommended to set up a new cluster to try this out. If the cluster is set up on unmanaged nodes on AWS, Google Cloud or Azure, make sure the nodes are set up in isolated accounts, projects or resource groups respectively. Additionally, do not expose the cluster to the Internet or assign privileged credentials/service accounts.
Steps to install
Confirm you have access to the cluster via kubectl. You can run the following command to confirm access
Clone the Kubernetes Goat repository and run the setup script provided in the repo. The following commands perform these actions
git clone https://github.com/madhuakula/kubernetes-goat.git cd kubernetes-goat bash setup-kubernetes-goat.sh
Ensure the pods created using the script are up and running in the cluster. At least 1 pod of each scenario should be running as there may be pods that are undergoing restarts or may have other statuses
kubectl get pods
Once it is confirmed that the pods are in running state, run the following command to set up acces to the scenarios through multiple kubectl proxy connections
Then navigate to http://127.0.0.1:1234 to access the dashboard from which you can access the different scenarios in the playground.