DEV.co
Open-Source Security · madhuakula

kubernetes-goat

Kubernetes Goat is an intentionally vulnerable Kubernetes cluster environment designed for hands-on security learning and penetration testing practice. It provides 22 scenarios covering common K8s misconfigurations, container escape, RBAC flaws, and deployment security issues, with guided documentation and interactive labs.

Source: GitHub — github.com/madhuakula/kubernetes-goat
5.7k
GitHub stars
1k
Forks
HTML
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymadhuakula/kubernetes-goat
Ownermadhuakula
Primary languageHTML
LicenseMIT — OSI-approved
Stars5.7k
Forks1k
Open issues28
Latest releasev2.3.0 (2024-09-03)
Last updated2026-04-16
Sourcehttps://github.com/madhuakula/kubernetes-goat

What kubernetes-goat is

A Helm/kubectl-deployable vulnerable-by-design sandbox featuring misconfigured workloads, exposed services, RBAC permission issues, and intentional security gaps across namespaces, networking, and runtime contexts. Includes integration with security tools (Falco, Kyverno, Cilium Tetragon, Popeye, KubeAudit) for detection and policy enforcement demonstration.

Quickstart

Get the kubernetes-goat source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/madhuakula/kubernetes-goat.gitcd kubernetes-goat# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security Team Skill Development

Train DevSecOps and security engineers on Kubernetes attack chains, privilege escalation, and lateral movement in a safe, reproducible environment without risk to production systems.

Red Team and Penetration Testing Practice

Conduct offensive security exercises covering container escape, SSRF exploitation, DIND attacks, and cluster compromise scenarios with documented walkthroughs and learning outcomes.

Security Tool Evaluation and Hardening Demonstration

Test and validate detection capabilities of runtime monitoring (Falco), policy engines (Kyverno), and observability platforms (Cilium Tetragon) against real attack scenarios with remediation guidance.

Implementation considerations

  • Requires dedicated, isolated Kubernetes cluster (KIND, K3S, GKE, EKS, AKS all supported) with admin-level kubectl and Helm access; setup via shell script with straightforward resource deployment.
  • Port-forwarding and local access via shell scripts; ensure firewall rules and network policies prevent unintended external access to localhost:1234 and cluster resources.
  • Resource consumption depends on deployment target; monitor memory/CPU on smaller clusters (KIND, K3S) as some scenarios include intentional DoS and resource exhaustion exercises.
  • Scenarios require sequential execution and understanding of prerequisites; refer to external documentation at madhuakula.com/kubernetes-goat for step-by-step walkthroughs and remediation paths.
  • No built-in tear-down automation beyond manual kubectl deletion; plan for cluster cleanup or use ephemeral cluster strategy (destroy and recreate between exercises).

When to avoid it — and what to weigh

  • Production-Adjacent Infrastructure — Do not run alongside production or critical environments. Explicitly designed with intentional vulnerabilities and exploitable misconfiguration that could cascade if misconfigured or left running.
  • Compliance/Certification Training Alone — While useful for learning, Kubernetes Goat covers attack scenarios and offensive techniques rather than compliance frameworks (CIS, PCI-DSS, SOC 2). Use alongside compliance-focused tools for full coverage.
  • Environments Lacking Isolated Network Segments — Requires strong network isolation and air-gapping. If your Kubernetes cluster cannot be completely isolated from other workloads, accidental exposure of the vulnerable environment poses risk.
  • Teams Without Kubernetes Operational Maturity — Assumes working knowledge of kubectl, Helm, cluster networking, RBAC, and container fundamentals. Steep learning curve if team lacks foundational Kubernetes experience.

License & commercial use

MIT License. Permissive open-source license allowing modification, distribution, and commercial use with attribution and no warranty. No patent grants or trademark restrictions stated.

MIT is a permissive OSI-approved license permitting commercial use. However, verify your intended use case: if you plan to bundle, rebrand, or offer Kubernetes Goat as a training platform for sale, consult legal counsel regarding liability and disclaimer adequacy. The disclaimer in the README (no warranties, educational use only) does not modify MIT license obligations but may not shield you from claims by end-users. Requires review if commercial SaaS or training product is planned.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

Kubernetes Goat is intentionally vulnerable by design and should never run in production or share infrastructure with untrusted workloads. Explicit disclaimer in README warns of this. Key considerations: (1) Isolation—ensure cluster is air-gapped from production and untrusted networks; (2) RBAC—restrict kubectl access to authorized security and DevOps personnel only; (3) Container escape risks—underlying cluster security (kernel, CRI) matters; escapes to host OS are possible by design; (4) Network policies—configure NSP or CNI policies to prevent lateral movement to adjacent clusters if multi-tenancy is in scope; (5) Secrets in scenarios—intentionally exposed (e.g., codebases, registry credentials); do not reuse real credentials on test systems. No formal security audit or CVE disclosure process described.

Alternatives to consider

OWASP WebGoat / Juice Shop

Similar vulnerable-by-design learning platforms, but focused on application security and web vulnerabilities rather than Kubernetes infrastructure and container runtime issues. Better for AppSec training; less suitable for cluster-level attack scenarios.

Linux Academy / A Cloud Guru Kubernetes Labs

Commercial training platforms with guided, safe labs covering Kubernetes security, hardening, and CIS benchmarks. Professionally maintained, integrated with learning paths, and compliance-focused. Requires subscription; less hands-on offensive perspective than Goat.

Kubernetes Security by Example (Aqua/Sysdig labs)

Vendor-maintained environments for learning container and Kubernetes security with focus on runtime detection and policy enforcement. Often lighter-weight, tied to specific tools (runtime security), and less scenario-driven than Goat's breadth of attack vectors.

Software development agency

Build on kubernetes-goat with DEV.co software developers

Set up Kubernetes Goat on an isolated cluster today. Clone the repo, run the setup script, and start with Scenario 1. Pair with your Devco security team to build custom attack simulations for your infrastructure.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

kubernetes-goat FAQ

Can I run Kubernetes Goat on my production cluster?
No. Explicitly do not run alongside production or critical infrastructure. The README includes a strong warning. Use a separate, isolated cluster for learning only.
What Kubernetes distributions does Kubernetes Goat support?
Supported: GKE, EKS, AKS, K3S, KIND, and vanilla Kubernetes. Requires kubectl and Helm CLI installed. Setup scripts and documentation cover cloud-managed and self-hosted variants.
How long does it take to complete all 22 scenarios?
Unknown; not stated in README or GitHub data. Depends on learner's Kubernetes experience, pace, and depth of exploration. Estimated 20–40 hours based on scenario complexity, but requires review of external docs for confirmed timeline.
Is Kubernetes Goat suitable for beginners?
Partially. Assumes foundational Kubernetes knowledge (pods, deployments, namespaces, RBAC, services). Complete beginners should first learn basic Kubernetes operations before attempting Goat scenarios.

Work with a software development agency

DEV.co helps companies turn open-source tools like kubernetes-goat into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Ready to Practice Kubernetes Security?

Set up Kubernetes Goat on an isolated cluster today. Clone the repo, run the setup script, and start with Scenario 1. Pair with your Devco security team to build custom attack simulations for your infrastructure.