Kubernetes Goat

New
trial
First Added:June 15, 2026 Updated: June 22, 2026

Kubernetes Goat is an intentionally vulnerable Kubernetes cluster lab by Madhu Akula. It deploys misconfigured workloads for hands-on attack and defense scenarios. We trial it for cluster security training, runtime exploitation practice, and calibrating Kubescape or kube-bench CIS drills. Never run it on production clusters or shared infrastructure.

Blurb

The Kubernetes Goat is designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security.

Summary

Kubernetes Goat extends the Goat tradition (DVWA, Juice Shop, TerraGoat) into live cluster security. Bridgecrew goats target IaC files; this lab targets running pods, RBAC, and cluster misconfigurations.

When to use: teaching DevSecOps and K8s red-team basics; walking through 20+ documented scenarios (RBAC abuse, container escape, SSRF, registry attacks); pairing manual exploits with Kubescape or kube-bench CIS modules in the curriculum.

When to skip: you cannot provision an isolated lab cluster (KIND, K3s, minikube, or disposable cloud); you only need static manifest scanning (use Checkov on repos); you need web-app vuln labs only (use DVWA or Juice Shop).

Setup: clone repo, run setup-kubernetes-goat.sh, then access-kubernetes-goat.sh for local UI at http://127.0.0.1:1234. Full guide at madhuakula.com/kubernetes-goat.

Details

Compared to IaC Goats

LensKubernetes GoatTerraGoat / Bridgecrew goats
TargetRunning Kubernetes clusterIaC files (Terraform, CFN, Bicep, CDK)
SkillsRBAC, escapes, SSRF, runtime abuseMisconfiguration detection pre-deploy
Scanner pairingKubescape, kube-bench, Checkov on manifestsCheckov on IaC
Best fitCluster security and exploitation labsCloud template scanning labs

Scenario Highlights

Upstream documents 20+ modules, including sensitive keys in repos, docker-in-docker abuse, container escape, private registry attacks, RBAC misconfiguration, CIS Docker/K8s benchmark analysis, and policy engine hardening exercises.

Deployment Guardrails

  • Use a dedicated lab cluster with no production namespaces or data.
  • Requires cluster admin and kubectl; Helm for install scripts.
  • Read upstream disclaimer before setup: vulnerabilities are intentional.
  • Tear down the lab when finished; do not co-locate with real workloads.
  • Prefer KIND, K3s, or a sandbox EKS/GKE/AKS account per upstream docs.

Install Sketch 

1
2
3
4
5
6

git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
bash setup-kubernetes-goat.sh
kubectl get pods   # wait until ready
bash access-kubernetes-goat.sh
# UI: http://127.0.0.1:1234