kubernetes-goat
Kubernetes Goat is an intentionally vulnerable Kubernetes cluster environment designed for hands-on security learning and penetration testing practice. It provides 22 scenarios covering common K8s misconfigurations, container escape, RBAC flaws, and deployment security issues, with guided documentation and interactive labs.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | madhuakula/kubernetes-goat |
| Owner | madhuakula |
| Primary language | HTML |
| License | MIT — OSI-approved |
| Stars | 5.7k |
| Forks | 1k |
| Open issues | 28 |
| Latest release | v2.3.0 (2024-09-03) |
| Last updated | 2026-04-16 |
| Source | https://github.com/madhuakula/kubernetes-goat |
What kubernetes-goat is
A Helm/kubectl-deployable vulnerable-by-design sandbox featuring misconfigured workloads, exposed services, RBAC permission issues, and intentional security gaps across namespaces, networking, and runtime contexts. Includes integration with security tools (Falco, Kyverno, Cilium Tetragon, Popeye, KubeAudit) for detection and policy enforcement demonstration.
Get the kubernetes-goat source
Clone the repository and explore it locally.
git clone https://github.com/madhuakula/kubernetes-goat.gitcd kubernetes-goat# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires dedicated, isolated Kubernetes cluster (KIND, K3S, GKE, EKS, AKS all supported) with admin-level kubectl and Helm access; setup via shell script with straightforward resource deployment.
- Port-forwarding and local access via shell scripts; ensure firewall rules and network policies prevent unintended external access to localhost:1234 and cluster resources.
- Resource consumption depends on deployment target; monitor memory/CPU on smaller clusters (KIND, K3S) as some scenarios include intentional DoS and resource exhaustion exercises.
- Scenarios require sequential execution and understanding of prerequisites; refer to external documentation at madhuakula.com/kubernetes-goat for step-by-step walkthroughs and remediation paths.
- No built-in tear-down automation beyond manual kubectl deletion; plan for cluster cleanup or use ephemeral cluster strategy (destroy and recreate between exercises).
When to avoid it — and what to weigh
- Production-Adjacent Infrastructure — Do not run alongside production or critical environments. Explicitly designed with intentional vulnerabilities and exploitable misconfiguration that could cascade if misconfigured or left running.
- Compliance/Certification Training Alone — While useful for learning, Kubernetes Goat covers attack scenarios and offensive techniques rather than compliance frameworks (CIS, PCI-DSS, SOC 2). Use alongside compliance-focused tools for full coverage.
- Environments Lacking Isolated Network Segments — Requires strong network isolation and air-gapping. If your Kubernetes cluster cannot be completely isolated from other workloads, accidental exposure of the vulnerable environment poses risk.
- Teams Without Kubernetes Operational Maturity — Assumes working knowledge of kubectl, Helm, cluster networking, RBAC, and container fundamentals. Steep learning curve if team lacks foundational Kubernetes experience.
License & commercial use
MIT License. Permissive open-source license allowing modification, distribution, and commercial use with attribution and no warranty. No patent grants or trademark restrictions stated.
MIT is a permissive OSI-approved license permitting commercial use. However, verify your intended use case: if you plan to bundle, rebrand, or offer Kubernetes Goat as a training platform for sale, consult legal counsel regarding liability and disclaimer adequacy. The disclaimer in the README (no warranties, educational use only) does not modify MIT license obligations but may not shield you from claims by end-users. Requires review if commercial SaaS or training product is planned.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
Kubernetes Goat is intentionally vulnerable by design and should never run in production or share infrastructure with untrusted workloads. Explicit disclaimer in README warns of this. Key considerations: (1) Isolation—ensure cluster is air-gapped from production and untrusted networks; (2) RBAC—restrict kubectl access to authorized security and DevOps personnel only; (3) Container escape risks—underlying cluster security (kernel, CRI) matters; escapes to host OS are possible by design; (4) Network policies—configure NSP or CNI policies to prevent lateral movement to adjacent clusters if multi-tenancy is in scope; (5) Secrets in scenarios—intentionally exposed (e.g., codebases, registry credentials); do not reuse real credentials on test systems. No formal security audit or CVE disclosure process described.
Alternatives to consider
OWASP WebGoat / Juice Shop
Similar vulnerable-by-design learning platforms, but focused on application security and web vulnerabilities rather than Kubernetes infrastructure and container runtime issues. Better for AppSec training; less suitable for cluster-level attack scenarios.
Linux Academy / A Cloud Guru Kubernetes Labs
Commercial training platforms with guided, safe labs covering Kubernetes security, hardening, and CIS benchmarks. Professionally maintained, integrated with learning paths, and compliance-focused. Requires subscription; less hands-on offensive perspective than Goat.
Kubernetes Security by Example (Aqua/Sysdig labs)
Vendor-maintained environments for learning container and Kubernetes security with focus on runtime detection and policy enforcement. Often lighter-weight, tied to specific tools (runtime security), and less scenario-driven than Goat's breadth of attack vectors.
Build on kubernetes-goat with DEV.co software developers
Set up Kubernetes Goat on an isolated cluster today. Clone the repo, run the setup script, and start with Scenario 1. Pair with your Devco security team to build custom attack simulations for your infrastructure.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
kubernetes-goat FAQ
Can I run Kubernetes Goat on my production cluster?
What Kubernetes distributions does Kubernetes Goat support?
How long does it take to complete all 22 scenarios?
Is Kubernetes Goat suitable for beginners?
Work with a software development agency
DEV.co helps companies turn open-source tools like kubernetes-goat into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Ready to Practice Kubernetes Security?
Set up Kubernetes Goat on an isolated cluster today. Clone the repo, run the setup script, and start with Scenario 1. Pair with your Devco security team to build custom attack simulations for your infrastructure.