kubernetes goat: “Vulnerable by Design” Kubernetes Cluster
Kubernetes Goat
The Kubernetes Goat designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.
🏁 Scenarios
- Sensitive keys in codebases
- DIND (docker-in-docker) exploitation
- SSRF in the Kubernetes (K8S) world
- Container escape to the host system
- Docker CIS benchmarks analysis
- Kubernetes CIS benchmarks analysis
- Attacking private registry
- NodePort exposed services
- Helm v2 tiller to PwN the cluster – [Deprecated]
- Analyzing crypto miner container
- Kubernetes namespaces bypass
- Gaining environment information
- DoS the Memory/CPU resources
- Hacker container preview
- Hidden in layers
- RBAC least privileges misconfiguration
- KubeAudit – Audit Kubernetes clusters
- Falco – Runtime security monitoring & detection
- Popeye – A Kubernetes cluster sanitizer
- Secure network boundaries using NSP
Install & Use
Copyright (c) 2020 Madhu Akula