☸️ Kubernetes Goat — Cluster Security Lab
Intro: Kubernetes Goat is one of the most useful environments for people who need to learn Kubernetes security by doing. It combines vulnerable scenarios, cluster-security best practices, and defensive tooling in one training playground.
What this page includes
- what Kubernetes Goat is good at;
- how to run it on a standard cluster or Kind;
- what scenarios are most useful for Product Security and platform engineers;
- how to turn scenario work into review and hardening guidance.
What it is
Kubernetes Goat is an interactive Kubernetes security learning playground. It is intentionally vulnerable by design and focuses on:
- common misconfigurations;
- real-world Kubernetes and container issues;
- both offensive and defensive scenarios;
- scenario-based learning instead of one giant monolithic challenge.
It is especially valuable because it spans both attacker paths and defender tooling such as Falco, Tetragon, Kyverno, and network policy exercises.
Why it is valuable
Kubernetes security is hard to learn from static docs alone. Kubernetes Goat makes cluster concepts concrete.
It helps learners practice:
- container and pod escape reasoning;
- registry and image-trust concerns;
- RBAC and namespace issues;
- runtime visibility and security observability;
- defensive control placement in a Kubernetes environment.
Best fit
| Persona | Fit | Why |
|---|---|---|
| Platform / Kubernetes engineer | Very high | Excellent for cluster and workload review discipline |
| Product Security engineer | High | Useful for workload identity, runtime, and misconfiguration review |
| Cloud Security engineer | High | Great if you support managed Kubernetes |
| Newcomer | Medium | Best after basic Kubernetes concepts are clear |
Quick start — standard cluster
git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
bash setup-kubernetes-goat.sh
kubectl get pods
bash access-kubernetes-goat.sh
Then browse to http://127.0.0.1:1234.
Quick start — Kind
If you want a more isolated local lab, use the Kind instructions from the official docs:
git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat/platforms/kind-setup
bash setup-kind-cluster-and-goat.sh
After setup, follow the standard access flow and expose services locally.
What makes it better than many Kubernetes toy labs
Kubernetes Goat does not stop at a few simple RBAC mistakes. It includes more than twenty scenarios covering topics such as:
- sensitive keys in codebases;
- DIND exploitation;
- SSRF in Kubernetes environments;
- container escape to the host;
- Docker and Kubernetes CIS benchmark analysis;
- private registry attacks;
- NodePort exposure;
- RBAC least-privilege mistakes;
- Falco and Tetragon usage;
- network-policy and Kyverno practice.
That breadth makes it useful for both learning and internal training demos.
Suggested study path
Pass 1 — cluster basics and exposure
- identify namespaces, services, ingress, and public entry points;
- identify which workloads look sensitive;
- identify what images and secrets the cluster depends on.
Pass 2 — access and escape
- analyze RBAC and service-account scope;
- review container security context and host exposure;
- inspect how one compromised workload could move sideways.
Pass 3 — defender controls
- document where Falco or Tetragon would help;
- document where Kyverno or PSP replacements would help;
- document where network policy would shrink the blast radius.
How to use it as a Product Security training lab
Ask learners to produce four artifacts for each scenario:
- a trust-boundary sketch;
- the likely attack path;
- the missing prevention control;
- the missing detection or response signal.
That turns the lab into a review exercise, not only an exploitation exercise.
Best pairings in this KB
- Kubernetes Security Baseline
- Kubernetes Hardening
- Network Policy Patterns
- Runtime Investigation Playbook for Kubernetes and Containers
- Kubernetes Deployment Review Checklist
- Threat Modeling Methods and Workflows
Common mistakes
- deploying it into a shared cluster used by real teams;
- skipping the environment inventory and jumping straight into attack steps;
- learning only one scenario type such as RBAC and ignoring runtime and networking;
- not cleaning up cluster resources afterward.
Cleanup
Follow the cleanup steps for the environment you used. At minimum:
kubectl get ns
kubectl get pods -A
Verify what namespaces and workloads were created and remove the training environment according to the official deployment method you chose.
References
- Official docs: https://madhuakula.com/kubernetes-goat/docs/
- Official repository: https://github.com/madhuakula/kubernetes-goat
- Kind setup docs: https://madhuakula.com/kubernetes-goat/docs/how-to-run/kubernetes-goat-on-kind
---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.