Kubernetes Goat: Learn Security Through Intentional Vulnerabilities

Kubernetes Goat

Kubernetes Goat is an interactive Kubernetes security learning playground. It has intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments.

It’s tough to learn and understand Kubernetes security safely, practically, and efficiently. So here we come to solve this problem not only for security researchers but also to showcase how we can leverage it for attackers, defenders, developers, DevOps teams, and anyone interested in learning Kubernetes security. We are also helping products & vendors to showcase their product or tool’s effectiveness by using these playground scenarios and also help them to use this to educate their customers and organizations. This project is a place to share knowledge with the community in well-documented quality content in hands-on scenario approaches.

Goals

Below are some of the main goals of the Kubernetes Goat

  • Quick & Easy
  • Great Documentation
  • Knowledge Sharing
  • Scenario-Based Approach
  • High-Quality Content
  • Interactive Learning
  • Real-world Examples
  • Practical Hands-On
  • Diverse Audiences
  • Awesome Community

Scenarios

  1. Sensitive keys in codebases
  2. DIND (docker-in-docker) exploitation
  3. SSRF in the Kubernetes (K8S) world
  4. Container escape to the host system
  5. Docker CIS benchmarks analysis
  6. Kubernetes CIS benchmarks analysis
  7. Attacking private registry
  8. NodePort exposed services
  9. Helm v2 tiller to PwN the cluster – [Deprecated]
  10. Analyzing crypto miner container
  11. Kubernetes namespaces bypass
  12. Gaining environment information
  13. DoS the Memory/CPU resources
  14. Hacker container preview
  15. Hidden in layers
  16. RBAC least privileges misconfiguration
  17. KubeAudit – Audit Kubernetes clusters
  18. Falco – Runtime security monitoring & detection
  19. Popeye – A Kubernetes cluster sanitizer
  20. Secure network boundaries using NSP
  21. Cilium Tetragon – eBPF-based Security Observability and Runtime Enforcement
  22. Securing Kubernetes Clusters using Kyverno Policy Engine

Install & Use

Copyright (c) 2020 Madhu Akula