I have been working in Containers, Kubernetes and it’s security for quite sometime. I felt that there is a gap between the security and technology understanding of the Kubernetes it self. We all learnt using different goats in security world like WebGoat. I wanted to create some simple environment where anyone can practice and learn to get started in Kubernetes Security.
That’s how it all started with Kubernetes Goat. But it has lot of extensive documented scenarios which are taken from real-world attacks, vulnerabilities and misconfigurations.
You can learn more about Kubernetes Goat and its active development, scenarios and the documentation at Github.
I had covered almost 14 different scenarios in Kubernetes Goat currently, also adding more scenarios and features soon. List of scenarios currently available in Kubernetes Goat are as follows
- Sensitive keys in code bases
- DIND(docker-in-docker) exploitation
- SSRF in K8S world
- Container escape to access host system
- Docker CIS Benchmarks analysis
- Kubernetes CIS Benchmarks analysis
- Attacking private registry
- NodePort exposed services
- Helm v2 tiller to PwN the cluster
- Analysing crypto miner container
- Kubernetes Namespaces bypass
- Gaining environment information
- DoS the memory/cpu resources
- Hacker Container preview
As it’s a complicated to setup the entire cluster environment and trying these scenarios, I have created free online playground at Katacoda to just tryout from your browser. You can just get started playing with Kubernetes Goat by clicking below link
Yes, indeed the Kubernetes Goat is intended to help you teach and learn as a walkthrough and the detailed step by step Guide can be found at https://madhuakula.com/kubernetes-goat
No, please don’t do that. It’s intentionally designed to be vulnerable cluster to showcase different vulnerabilities, misconfigurations in Kubernetes environments. Also read the below disclaimers.
Kubernetes Goat creates intentionally vulnerable resources into your cluster. DO NOT deploy Kubernetes Goat in a production environment or alongside any sensitive cluster resources.
Kubernetes Goat comes with absolutely no warranties whatsoever. By using Kubernetes Goat, you take full responsibility for any and all outcomes that result.
As I said, the project is in active development to include new features and scenarios. So, to just name some of the upcoming features/scenarios coming in Kubernetes Goat includes:
- More offensive or attacker scenarios to learn about Kubernetes security from an attackers perspective
- Defender scenarios to secure/mitigate these misconfigurations and vulnerabilities
- Also, working on KIND based deployments to showcase cluster it self vulnerabilities and weaknesses
- Detailed references and resources for attacks/vulnerabilities which are unable to reproduce with newer version of clusters
- Many more…
So stay tuned for the more updates in below channels
⭐️ Star the Github repo to show some love❤️https://github.com/madhuakula/kubernetes-goat
Follow me in twitter @madhuakula for more updates/tweets about Kubernetes Goat as well as information more about security around Cloud, Containers, Kubernetes.