Kubernetes Goat: Learn Security Through Intentional Vulnerabilities
Kubernetes Goat
Kubernetes Goat is an interactive Kubernetes security learning playground. It has intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments.
It’s tough to learn and understand Kubernetes security safely, practically, and efficiently. So here we come to solve this problem not only for security researchers but also to showcase how we can leverage it for attackers, defenders, developers, DevOps teams, and anyone interested in learning Kubernetes security. We are also helping products & vendors to showcase their product or tool’s effectiveness by using these playground scenarios and also help them to use this to educate their customers and organizations. This project is a place to share knowledge with the community in well-documented quality content in hands-on scenario approaches.
Goals
Below are some of the main goals of the Kubernetes Goat
- Quick & Easy
- Great Documentation
- Knowledge Sharing
- Scenario-Based Approach
- High-Quality Content
- Interactive Learning
- Real-world Examples
- Practical Hands-On
- Diverse Audiences
- Awesome Community
Scenarios
- Sensitive keys in codebases
- DIND (docker-in-docker) exploitation
- SSRF in the Kubernetes (K8S) world
- Container escape to the host system
- Docker CIS benchmarks analysis
- Kubernetes CIS benchmarks analysis
- Attacking private registry
- NodePort exposed services
- Helm v2 tiller to PwN the cluster – [Deprecated]
- Analyzing crypto miner container
- Kubernetes namespaces bypass
- Gaining environment information
- DoS the Memory/CPU resources
- Hacker container preview
- Hidden in layers
- RBAC least privileges misconfiguration
- KubeAudit – Audit Kubernetes clusters
- Falco – Runtime security monitoring & detection
- Popeye – A Kubernetes cluster sanitizer
- Secure network boundaries using NSP
- Cilium Tetragon – eBPF-based Security Observability and Runtime Enforcement
- Securing Kubernetes Clusters using Kyverno Policy Engine
Install & Use
Copyright (c) 2020 Madhu Akula