explaingit

madhuakula/kubernetes-goat

5,635HTMLAudience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

Kubernetes Goat is a deliberately insecure Kubernetes cluster for hands-on security training, with 22 scenarios covering real vulnerabilities like credential leaks, container escapes, and RBAC misconfigurations, for isolated practice environments only.

Mindmap

mindmap
  root((Kubernetes Goat))
    What it is
      Insecure training cluster
      22 scenarios
      Isolated practice only
    Vulnerabilities Covered
      Credential leaks in code
      Container escapes
      RBAC misconfig
      Exposed services
    Defensive Tools
      Falco runtime monitoring
      Kyverno policies
      Cilium Tetragon
    Setup
      Kubernetes cluster required
      Helm package manager
      Supports GKE EKS AKS
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Practice finding and exploiting 22 Kubernetes security vulnerabilities in a safe, isolated training environment.

USE CASE 2

Learn how containers can escape to the underlying host without risking any production systems.

USE CASE 3

Train your team on Kubernetes RBAC misconfigurations using real hands-on scenarios.

USE CASE 4

Practice using Falco, Kyverno, and Cilium Tetragon for runtime security monitoring in a Kubernetes cluster.

Tech stack

HTMLKubernetesHelmFalcoKyverno

Getting it running

Difficulty · hard Time to first run · 1h+

Requires admin access to a Kubernetes cluster and Helm, must run in a completely isolated environment away from any production systems.

Released under the MIT license, use freely for any purpose, including commercial use, as long as you keep the copyright notice.

In plain English

Kubernetes Goat is a deliberately insecure training environment for learning about Kubernetes security. Kubernetes is a system used by companies to run and manage software in containers at scale, and securing it correctly is a common challenge. Kubernetes Goat sets up a cluster that is full of intentional security mistakes so that students and practitioners can practice finding and exploiting them in a controlled setting, without touching real production infrastructure. The project ships 22 hands-on scenarios covering real-world problems, including sensitive credentials left in code, containers escaping to the underlying host, misconfigured role-based access controls, exposed network services, namespace bypasses, and crypto miner detection. Later scenarios also introduce defensive tools, such as using Falco for runtime monitoring, Kyverno for policy enforcement, and Cilium Tetragon for tracking what processes do inside containers. Setting it up requires admin access to a Kubernetes cluster and a package manager called Helm. A setup script deploys all the vulnerable workloads, and an access script forwards the relevant ports to your local machine so you can reach the training interface at a local address in your browser. The documentation site walks through each scenario step by step. The project also supports running in managed cloud Kubernetes environments like GKE, EKS, and AKS. The project warns clearly that Kubernetes Goat should never run alongside production systems, since its vulnerabilities are real and exploitable. It is intended for education in isolated environments only. The project is released under the MIT license.

Copy-paste prompts

Prompt 1
I want to learn Kubernetes security. Walk me through setting up Kubernetes Goat on my local cluster using Helm and running the first scenario.
Prompt 2
Show me how to exploit a container escape vulnerability in Kubernetes Goat and then explain how to fix the misconfiguration that made it possible.
Prompt 3
I'm studying Kubernetes RBAC. Use the Kubernetes Goat scenarios to explain what an RBAC misconfiguration looks like and how to detect it.
Prompt 4
How do I use Falco with Kubernetes Goat to detect a crypto miner running inside a compromised container?
Open on GitHub → Explain another repo

← madhuakula on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.