Defence scenarios for the below scenarios

• Sensitive keys in code bases
• DIND(docker-in-docker) exploitation
• SSRF in K8S world
• Container escape to access host system
• Docker CIS Benchmarks analysis
• Kubernetes CIS Benchmarks analysis
• Attacking private registry
• NodePort exposed services
• Helm v2 tiller to PwN the cluster
• Analysing crypto miner container
• Kubernetes Namespaces bypass
• Gaining environment information
• DoS the memory/cpu resources

Hi Madhu!

First off, thanks for creating this awesome project. I am currently trying to deploy it locally on my raspberry pi k3s cluster, so I was looking into the image files that were used.

When I checked some of the Dockerfiles, I noticed that infrastructure/batch-check/Dockerfile contains a reference to https://madhuakula.com/kubernetes-goat/k8s-goat-a5e0a28fa75bf429123943abedb065d1, which is currently getting a 404 response.

Would you be able to look into this? Thanks!

Scene

I find that trufflehog may not be find the secrets when I try to use the latest version of trufflehog.
See this issue for details
trufflesecurity/trufflehog#1601

Do you need to optimize your pod to support the latest version?

While following the setup as mentioned on https://madhuakula.com/kubernetes-goat/kubernetes-cluster/gke.html
have encountered following error "ERROR: (gcloud.beta.container.clusters.create) ResponseError: code=500, message=Internal error encountered."

I have been able to install Helm version 2.17 from the official Github binary release but when I try to run "helm2 version" I get a command not found even though a "helm version" returns 2.17. Additionally, when I try to run the setup-kubernetes-goat script I get the following error "Error" Could not find helm2, please check helm2 setup.". Any help will be appreciated on what I am doing wrong for the required helm installation. Thanks.

@madhuakula
In scenario 2, DIND, tar is required to unzip the docker binary we download from the internet using wget. /usr/bin/tar is missing, preventing one from completing the scenario.

I actually tried grabbing tar from my local machine using wget to complete the scenario but I wasn't able to get it to work, and it's difficult to understand whats wrong without a shell (all i see from the ping service is exit codes)

Am I missing something? Seems to me like the scenario is broken. I ran through the first scenario without issues.

My setup:

• windows subsystem for linux 2 (WSL2) (ubuntu app)
• Windows 11 underneath that
• deployed K8S goat using KinD

there is a typo error in "setup-kubernetes-goat.sh" line 12. 'happend' must be changed to 'happened'.

Environment:

Platform: Azure AKS
Affected Scenario: scenarios/health-check/deployment.yaml
Kubernetes Goat Version: v2.2.0

Issue Description:

During the deployment of the Kubernetes Goat's "health-check" scenario on Azure AKS, I encountered a volume mount issue that prevented the pod from transitioning out of the "ContainerCreating" state. This issue appears to be specific to the Azure AKS platform.

Symptoms:

The "health-check" pod remained stuck in the "ContainerCreating" state.
Logs showed errors related to mounting volumes, specifically the docker-sock-volume.

 kubernetes-goat % kubectl describe pod health-check-deployment-59f4b679b-zwlb6 
Name:             health-check-deployment-59f4b679b-zwlb6
Namespace:        default
Priority:         0
Service Account:  default
Node:             aks-nodepool1-19398891-vmss000001/10.0.5.33
Start Time:       Thu, 31 Aug 2023 10:56:44 +0200
Labels:           app=health-check
                  pod-template-hash=59f4b679b
Annotations:      <none>
Status:           Pending
IP:               
IPs:              <none>
Controlled By:    ReplicaSet/health-check-deployment-59f4b679b
Containers:
  health-check:
    Container ID:   
    Image:          madhuakula/k8s-goat-health-check
    Image ID:       
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     30m
      memory:  100Mi
    Requests:
      cpu:        30m
      memory:     100Mi
    Environment:  <none>
    Mounts:
      /custom/docker/docker.sock from docker-sock-volume (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-9999x (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  docker-sock-volume:
    Type:          HostPath (bare host directory volume)
    Path:          /var/run/docker.sock
    HostPathType:  Socket
  kube-api-access-9999x:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   Guaranteed
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/memory-pressure:NoSchedule op=Exists
                             node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason       Age                  From               Message
  ----     ------       ----                 ----               -------
  Normal   Scheduled    14m                  default-scheduler  Successfully assigned default/health-check-deployment-59f4b679b-zwlb6 to aks-nodepool1-19398891-vmss000001
  Warning  FailedMount  3m28s (x2 over 12m)  kubelet            Unable to attach or mount volumes: unmounted volumes=[docker-sock-volume], unattached volumes=[docker-sock-volume kube-api-access-9999x]: timed out waiting for the condition
  Warning  FailedMount  71s (x4 over 10m)    kubelet            Unable to attach or mount volumes: unmounted volumes=[docker-sock-volume], unattached volumes=[kube-api-access-9999x docker-sock-volume]: timed out waiting for the condition
  Warning  FailedMount  12s (x15 over 14m)   kubelet            MountVolume.SetUp failed for volume "docker-sock-volume" : hostPath type check failed: /var/run/docker.sock is not a socket file     

Troubleshooting:

• Reviewed the pod's events and logs for insights into the issue.
• Checked the Docker socket path and verified the hostPath configuration in deployment.yaml.
• Investigated node-level conditions and permissions.

Resolution:

The issue was due to an incorrect type used for the docker-sock-volume hostPath. I updated the type to DirectoryOrCreate, which resolved the volume mount problem.

volumes:
  - name: docker-sock-volume
    hostPath:
      path: /var/run/docker.sock
      type: DirectoryOrCreate

Steps to Reproduce:

1. Deploy Kubernetes Goat on Azure AKS using the provided setup-kubernetes-goat.sh which refers to the current scenarios/health-check/deployment.yaml.
2. Observe the pod's behavior, specifically the "health-check" scenario by using kubectl get pods

Expected Behavior:

The "health-check" pod should transition from the "ContainerCreating" state to the "Running" state without any volume mount issues.

Recommendation:

Developers are advised to use the corrected type for the docker-sock-volume hostPath in the deployment.yaml file to ensure successful deployment on Azure AKS. To ensure compatibility, it's recommended to test the deployment specifically on Azure AKS, as this issue might not surface on other platforms.

Would like to have the scenarios page in documentation feedback options and integration of the reactions for the scenarios for a quicker and better experience Also improvements of the things

Pasting in the the details here from the Discord Thread -

• K01: Insecure Workload Configurations
  • DIND
  • DoS
• K02: Supply Chain Vulnerabilities
  • Docker Registry
• K03: Overly Permissive RBAC Configurations
  • RBAC Least Privileged
• K04: Lack of Centralized Policy Enforcement
  • Kyverno
• K05: Inadequate Logging and Monitoring
  • Sysdig Faclo
  • Cilium Tetragon
• K06: Broken Authentication Mechanisms
  • Unauthenticated Cluster
  • RBAC Least Privileged
• K07: Missing Network Segmentation Controls
  • Namespace Bypass
  • NSP
• K08: Secrets Management Failures
  • Secrets in Codebase
  • Kubernetes Secrets
• K09: Misconfigured Cluster Components
  • Cluster Misconfigs
• K10: Outdated and Vulnerable Kubernetes Components
  • Helm Tiller
  • Older Versions

Task -

• Making the documentation enhancement to add the above mentioned list with additional details

1. in setting up google cluster
   export KUBERNETESGOATPROJECTNAME="YOUR GOOGLE PROJECT NAME"
   Project name & project id both are different.
   gcloud --project only supports project id not name.

2. After running access-kubernetes-goat.sh. some of the containers still not forwarding ports. seems like need few sleep :)
   

Hi,

I am trying to deploy k8s-goat on my Mac Pro M2 but facing this issue:

1. system-monitor-deployment-* pod keep on crashing
   log:
   exec /usr/local/bin/gotty: exec format error

2. hunger-check-deployment-* pod keep crashing

log:
exec /usr/local/bin/gotty: exec format error

Can you help?
Thanks,

Helm is a tool for managing Charts. Helm2 has been depreciated and need to update the version so we can easily setup the k8s goat in our cluster instead of setting up the version(2) of helm.

Kubernetes Goat can be a great project to setup different type of vulnerable Kubernetes environment based on a configuration manifest. Currently, it demonstrates common attack surface against a default cluster, by introducing vulnerable config + apps.

While this is great to get started for security assessment of workloads hosted in a cluster, to be able to test a cluster itself, especially those that are self-managed or a very old cluster provided in the cloud and subsequently upgraded.

We need to be able to, as a roadmap:

• Support configuration driven vulnerable cluster setup (Basically choose what all issues to introduce with a useful default)
• Support issues due to misconfigurations in the control plane, for example, api-server insecure port exposure, poor credentials in tokens file, kubelet read-only port issue etc.
• Try to replicate a vulnerable cluster as per CIS Benchmark, specifically for issues that can be exploited with an impact
• Try to replicate issues mentioned specifically in k8s docs

Most of this will require ability to setup a cluster from scratch with custom config (or patches as they call it for KIND).

I believe you do not need helm2 any longer helm2 deprecation timeline
your deployment setup looks straightforward

Hi, I am getting error as below, what am I missing?

└─$ bash setup-kubernetes-goat.sh
setup-kubernetes-goat.sh: line 5: $'\r': command not found
setup-kubernetes-goat.sh: line 11: syntax error near unexpected token `else'
'etup-kubernetes-goat.sh: line 11: `else 

kubectl validation fails:

└─$ bash setup-kubernetes-goat.sh      
Error: Could not find kubectl or an other error happened, please check kubectl setup.

I deleted the kubectl check in setup-kubernetes-goat.sh for it to work

kali-linux 2023.3

This scenario will show how an attacker can leverage Kubelet API endpoint to gaining privileges access into a cluster.

https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet/

Hi,

Thanks for your work on porting to Arm64! I have started to spin it up on my cluster today and I am getting:

$ kubectl logs hunger-check-deployment-cc7758676-4zzkk -n big-monolith
standard_init_linux.go:219: exec user process caused: exec format error

Deployment was via the setup script as normal. Am I missing something, like a parameter to pass to that script?

Regards,
Tim

i managed to run the goat in microk8s, but the internal-proxy-deployment status is "CrashLoopBackOff".
Any reason why is that?

KIND nodes by default uses containerd as the CRI directly instead of Docker

kubelet command line:

/usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime=remote --container-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false --node-ip= --fail-swap-on=false

The same scenario can expose containerd.sock but exploitation will be a bit different. Either talk to it directly or start a dockerd on containerd.sock and then use docker client.

Error from Pod events:

Events:
  Type     Reason       Age                  From                   Message
  ----     ------       ----                 ----                   -------
  Normal   Scheduled    3m38s                default-scheduler      Successfully assigned default/health-check-deployment-54fd854474-gvhmq to kind-worker3
  Warning  FailedMount  95s                  kubelet, kind-worker3  Unable to attach or mount volumes: unmounted volumes=[docker-sock-volume], unattached volumes=[docker-sock-volume default-token-kvh25]: timed out waiting for the condition
  Warning  FailedMount  90s (x9 over 3m38s)  kubelet, kind-worker3  MountVolume.SetUp failed for volume "docker-sock-volume" : hostPath type check failed: /var/run/docker.sock is not a file

i could not use kind to create the cluster for this because if i ran kind, it will mess up my VM Machine DNS, which make creating Container impossible, how can i fix this ? sorry i dont know what information to give you for this matter. If you need more information please let me know.

Hello,

I am trying to do the workshop on KIND and on other Cloud Provider. Always the same issue with this workshop about container escape.

Instead of

We are directly on the host

So no way to use it.
Thanks a lot for your work

Best regards,

I just noticed that you released an update and added arm/arm64 support That's awesome, thank you so much.

I attempted deploying on my arm64 k3s cluster and had most of the pods running, but I unfortunately still ran into CrashLoopBackOff state for two pods. The two pods both had an exec format error message.

Environment

OS: Kali Linux Rolling
K8s: K3D
Docker: Client: Docker Engine - Community
Version: 20.10.21
API version: 1.41
Helm: v2.17.0

Deploying the environment using helm drops the next error.

kubectl setup looks good. [40/745]
deploying insecure super admin scenario
serviceaccount/superadmin created
clusterrolebinding.rbac.authorization.k8s.io/superadmin created
deploying helm chart metadata-db scenario
Error: This command needs 1 argument: chart name <-- Error for a chart name
deploying the vulnerable scenarios manifests
job.batch/batch-check-job created
deployment.apps/build-code-deployment created
service/build-code-service created namespace/secure-middleware created
service/cache-store-service created
deployment.apps/cache-store-deployment created
deployment.apps/health-check-deployment created
service/health-check-service created
namespace/big-monolith created
role.rbac.authorization.k8s.io/secret-reader created
rolebinding.rbac.authorization.k8s.io/secret-reader-binding created
serviceaccount/big-monolith-sa created
secret/vaultapikey created
secret/webhookapikey created
deployment.apps/hunger-check-deployment created
service/hunger-check-service created
deployment.apps/internal-proxy-deployment created
service/internal-proxy-api-service created
service/internal-proxy-info-app-service created
deployment.apps/kubernetes-goat-home-deployment created
service/kubernetes-goat-home-service created
deployment.apps/poor-registry-deployment created
service/poor-registry-service created
secret/goatvault created
deployment.apps/system-monitor-deployment created
service/system-monitor-service created
job.batch/hidden-in-layers created
Successfully deployed Kubernetes Goat. Have fun learning Kubernetes Security!
Ensure pods are in running status before running access-kubernetes-goat.sh script
Now run the bash access-kubernetes-goat.sh to access the Kubernetes Goat environment.

kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-b96499967-jbh9c 1/1 Running 0 13m
kube-system local-path-provisioner-7b7dc8d6f5-hw5fj 1/1 Running 0 13m
kube-system helm-install-traefik-crd-2gl6r 0/1 Completed 0 13m
kube-system svclb-traefik-7bcd6545-nnpkj 2/2 Running 0 13m
kube-system helm-install-traefik-69587 0/1 Completed 1 13m
kube-system metrics-server-668d979685-b4pk2 1/1 Running 0 13m
kube-system traefik-7cd4fcff68-6gvmh 1/1 Running 0 13m
kube-system tiller-deploy-77db84774f-49r6j 1/1 Running 0 8m44s
default health-check-deployment-f9d6f6f9c-v7tct 0/1 ContainerCreating 0 8m24s
default batch-check-job-lvxfh 0/1 Completed 0 8m25s
default hidden-in-layers-nc4ph 1/1 Running 0 8m21s
secure-middleware cache-store-deployment-754d469fdc-5q5cp 1/1 Running 0 8m24s
default kubernetes-goat-home-deployment-866d467dfd-24kd8 1/1 Running 0 8m23s
big-monolith hunger-check-deployment-cc7758676-7bntj 1/1 Running 0 8m23s
default poor-registry-deployment-5dbb7ccddb-gdwq7 1/1 Running 0 8m22s
default build-code-deployment-64f9dc8b78-wbtwd 1/1 Running 0 8m25s
default system-monitor-deployment-69477d6d49-7xn9g 1/1 Running 0 8m22s
default internal-proxy-deployment-567dc6dcb5-74kqv 1/2 CrashLoopBackOff 5 (52s ago) 8m23s

metdata-db pod is not deployed

• CentOS 7
• K8s version: 1.22.2

Hi, I'm trying to install k8s goat into my cluster. After running scripts setup-kubernetes-goat.sh and access-kubernetes-goat.sh. I had checked the status of all pods. However, none of nodes in my cluster have opened 1234 port. Below are the pods, deployments status:

pod(system-monitor-deployment) can't run,
the error log:
runtime: failed to create new OS thread (have 2 already; errno=22)
fatal error: newosproc

runtime stack:
runtime.throw(0x37b713, 0x9)
/usr/local/go/src/runtime/panic.go:566 +0x78
runtime.newosproc(0x10824000, 0x10833fe0)
/usr/local/go/src/runtime/os_linux.go:160 +0x1b0
runtime.newm(0x3b3394, 0x0)
/usr/local/go/src/runtime/proc.go:1572 +0x12c
runtime.main.func1()
/usr/local/go/src/runtime/proc.go:126 +0x24
runtime.systemstack(0x4e6f00)
/usr/local/go/src/runtime/asm_arm.s:247 +0x80
runtime.mstart()
/usr/local/go/src/runtime/proc.go:1079

goroutine 1 [running]:
runtime.systemstack_switch()
/usr/local/go/src/runtime/asm_arm.s:192 +0x4 fp=0x1081e7ac sp=0x1081e7a8
runtime.main()
/usr/local/go/src/runtime/proc.go:127 +0x5c fp=0x1081e7d4 sp=0x1081e7ac
runtime.goexit()
/usr/local/go/src/runtime/asm_arm.s:998 +0x4 fp=0x1081e7d4 sp=0x1081e7d4

Last line is script 'kind delete clusters kubernetes-goat-cluster' should be updated to 'kind delete clusters --name kubernetes-goat-cluster'

As per the Kind docs, to delete a cluster, --name (flag) needs to be used.

Hi,

I might miss a step.
I have minikube running. I have helm version 2(command helm not helm2) and I follow the instructions:

• minikube start
• clone repo
• bash access-kubernetes-goat.sh

kubectl setup looks good.
Creating port forward for all the Kubernetes Goat resources to locally. We will be using 1230 to 1236 ports locally!
error: error executing jsonpath "{.items[0].metadata.name}": Error executing template: array index out of bounds: index 0, length 0. Printing more information for debugging the template:
	template was:
		{.items[0].metadata.name}
	object given to jsonpath engine was:
		map[string]interface {}{"apiVersion":"v1", "items":[]interface {}{}, "kind":"List", "metadata":map[string]interface {}{"resourceVersion":"", "selfLink":""}}


error: error executing jsonpath "{.items[0].metadata.name}": Error executing template: array index out of bounds: index 0, length 0. Printing more information for debugging the template:
	template was:
		{.items[0].metadata.name}
	object given to jsonpath engine was:
		map[string]interface {}{"apiVersion":"v1", "items":[]interface {}{}, "kind":"List", "metadata":map[string]interface {}{"resourceVersion":"", "selfLink":""}}


error: error executing jsonpath "{.items[0].metadata.name}": Error executing template: array index out of bounds: index 0, length 0. Printing more information for debugging the template:
	template was:
		{.items[0].metadata.name}
	object given to jsonpath engine was:
		map[string]interface {}{"apiVersion":"v1", "items":[]interface {}{}, "kind":"List", "metadata":map[string]interface {}{"resourceVersion":"", "selfLink":""}}


error: error executing jsonpath "{.items[0].metadata.name}": Error executing template: array index out of bounds: index 0, length 0. Printing more information for debugging the template:
	template was:
		{.items[0].metadata.name}
	object given to jsonpath engine was:
		map[string]interface {}{"apiVersion":"v1", "items":[]interface {}{}, "kind":"List", "metadata":map[string]interface {}{"resourceVersion":"", "selfLink":""}}


error: error executing jsonpath "{.items[0].metadata.name}": Error executing template: array index out of bounds: index 0, length 0. Printing more information for debugging the template:
	template was:
		{.items[0].metadata.name}
	object given to jsonpath engine was:
		map[string]interface {}{"apiVersion":"v1", "items":[]interface {}{}, "kind":"List", "metadata":map[string]interface {}{"resourceVersion":"", "selfLink":""}}


error: error executing jsonpath "{.items[0].metadata.name}": Error executing template: array index out of bounds: index 0, length 0. Printing more information for debugging the template:
	template was:
		{.items[0].metadata.name}
	object given to jsonpath engine was:
		map[string]interface {}{"apiVersion":"v1", "items":[]interface {}{}, "kind":"List", "metadata":map[string]interface {}{"resourceVersion":"", "selfLink":""}}


error: error executing jsonpath "{.items[0].metadata.name}": Error executing template: array index out of bounds: index 0, length 0. Printing more information for debugging the template:
	template was:
		{.items[0].metadata.name}
	object given to jsonpath engine was:
		map[string]interface {}{"apiVersion":"v1", "items":[]interface {}{}, "kind":"List", "metadata":map[string]interface {}{"resourceVersion":"", "selfLink":""}}


Visit http://127.0.0.1:1234 to get started with your Kuberenetes Goat hacking!

It fails because there are not pods:

 kubectl get pods --namespace default -l "app=build-code" 
No resources found in default namespace.

I assume I have to do something with helm before.

When I click on one of the menu items, nothing happens.
Expected is that the content in the main view changes.

Deployment: minikube

The js debuger show no errors (except favicon missing)

A scenario where exploiting privileged pods with help of nsenter by mounting the process namespace would be nice.

Hello,

I was interested to understand the total number of intended misconfigurations and vulnerabilities in Kubernetes-goat environment. It will be great to have this information in order to understand which tool is able to capture most number of misconfigurations/vulnerabilities.

Thanks in advance !

with m1 mac

Hi as you can see I am unable to runt he script because it said that kubectl is not found. I already installed it and it running perfectly fine, please help me on this.

In Scenario 9 "Helm v2 tiller to PwN the cluster", there is a typo in /pwnchart/values.yaml inside docker image madhuakula/k8s-goat-helm-tiller. The namespace should be default.

root@bash:/pwnchart# cat values.yaml 
# Default values for connectivity-check.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
namespace: deafult
name: default

I am trying to create kubernetes-goat on kind on Linux Ubuntu VM. This particular POD is not getting started (health-check-deployment-77c7b6686-dwb6s)

ptandon@ptandon-VirtualBox:~/kubernetes-goat$ sudo kubectl get pods
NAME READY STATUS RESTARTS AGE
batch-check-job-p4jjp 0/1 Completed 0 28m
build-code-deployment-57974868c5-knmrq 1/1 Running 0 28m
health-check-deployment-77c7b6686-dwb6s 0/1 ContainerCreating 0 28m
hidden-in-layers-f6hds 1/1 Running 0 28m
internal-proxy-deployment-598c9c6666-65qxz 2/2 Running 0 28m
kubernetes-goat-home-deployment-74cd49bf79-d9qx2 1/1 Running 0 28m
metadata-db-86579bcb65-29cmq 1/1 Running 0 28m
poor-registry-deployment-cc975f599-pgxqm 1/1 Running 0 28m
system-monitor-deployment-756598dbd-fwzzv 1/1 Running 0 28m

When I try to debug this further using # kubectl describe health-check-deployment-77c7b6686-dwb6s

Events:
Type Reason Age From Message

Normal Scheduled 35m default-scheduler Successfully assigned default/health-check-deployment-77c7b6686-dwb6s to kind-control-plane
Warning FailedMount 10m (x5 over 28m) kubelet Unable to attach or mount volumes: unmounted volumes=[docker-sock-volume], unattached volumes=[kube-api-access-cf69j docker-sock-volume]: timed out waiting for the condition
Warning FailedMount 6m16s (x5 over 33m) kubelet Unable to attach or mount volumes: unmounted volumes=[docker-sock-volume], unattached volumes=[docker-sock-volume kube-api-access-cf69j]: timed out waiting for the condition
Warning FailedMount 2m8s (x21 over 35m) kubelet MountVolume.SetUp failed for volume "docker-sock-volume" : hostPath type check failed: /var/run/docker.sock is not a socket file

References :

• kubernetes/kubernetes#60813
• https://kubernetes.io/blog/2018/04/04/fixing-subpath-volume-vulnerability

In the latest version of kubernetes (v1.21) at least one pod does not start up. It stays in a Completed status and no amount of pushing fixes the issue. So since it is not documented anywhere, I figured I would ask here.

Is there a specific version that has been tested with goat?

Thanks,
JPop

Hi - I receive an error when trying to deploy the Falco tool using the helm chart. I used the script method to deploy the stable version of Helm for Ubuntu which appears to have installed Client and Server v2.17.0, and I sym linked the binary as helm2 as per the deployment instructions for GOAT. However, I receive an API version error when trying to deploy Falco using the chart, which I think may be due to Falco now supporting Helm v3? Question is, if I deploy Helm v3 will it defeat any of the labs that rely on Helm, notably "Helm V2 tiller to pwn the cluster"?

Kubernetes Goat 🐐 has grown significantly beyond expectations. Also, the vision and the future are so huge that I wanted to take this to the next level.

So we are going to build a community around it, which helps to grow this project and help to learn and share the Kubernetes and Cloud Native security with everyone.

We are going to create a discord server for the Kubernetes goat soon 🚀

After the kubectl installation, when want to run: "bash setup-kubernetes-goat.sh", an error will be shown:
Error: Could not find kubectl or another error happend, please check kubectl setup.

I assume it because of the warning error which kubernetes mentined also in their documentation. (https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/).

Is there any solution?

I had some issues when I tried to set this up.

I'm getting the error

~/kubernetes-goat$ bash setup-kubernetes-goat.sh - Error: Could not find kubectl or an other error happened, please check kubectl setup.

It looks like the command in the set up and access script kubectl version --short > /dev/null 2>&1 is always returning the error with kubectl not set up.

I had to comment it out so the script could run.

If I run that command and remove the /dev/null this is what it returns.

kubectl version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.27.4
Kustomize Version: v5.0.1
Server Version: v1.27.4

This is what I run when I'm installing Kubectl

## Installing kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

So short flag would probably need to be removed.

Is anyone else having the same issue?

All the steps completed but getting following message when accessing the local cloud address.

Following message received post completion :
kubectl setup looks good. Creating port forward for all the Kubernetes Goat resources to locally. We will be using 1230 to 1236 ports locally! Visit http://127.0.0.1:1234 to get started with your Kuberenetes Goat hacking!

Please see...
When accessed the URL

Hi,

On this page: https://madhuakula.com/kubernetes-goat/docs/getting-started - the tip suggests that docker should be installed. If that is the case, should the startup script (and other documentation about getting started) reflect this?

Happy to help out, just checking direction.

Regards,
Tim

i've made fully automated vagrant-ansible chain to bring up k8s cluster and setup kubegoat inside. if u r interested in i can make a pr into repo.

https://github.com/bykvaadm/kubegoat-vagrant

My setup:

windows subsystem for linux 2 (WSL2) (ubuntu app)
Windows 11 underneath that
deployed K8S goat using KinD

The system-monitor scenario container (Container escape to the host system) keeps crashing in my setup. I am running Kubernetes Goat from a Parallels CentOS VM on a Macbook Pro M2 (ARM platform). I did the usual setup:

git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
bash setup-kubernetes-goat.sh

After the setup, the system-monitor pod keeps crashing:

[bart@localhost kubernetes-goat]$ kubectl get pods
NAME                                              READY   STATUS             RESTARTS         AGE
batch-check-job-67stc                             0/1     Completed          0                58m
build-code-deployment-7b558b489f-zvkn9            1/1     Running            1 (34m ago)      58m
health-check-deployment-678cc744c8-7bwqt          1/1     Running            1 (34m ago)      58m
hello-k8s-77c964f6d9-kx4bk                        1/1     Running            1 (34m ago)      83m
hidden-in-layers-bkzkk                            0/1     Error              0                58m
hidden-in-layers-r294q                            1/1     Running            0                19m
internal-proxy-deployment-7955c45559-6bbt8        2/2     Running            3 (34m ago)      58m
kubernetes-goat-home-deployment-578759495-mrs75   1/1     Running            1 (34m ago)      58m
poor-registry-deployment-c96986875-jrqf9          1/1     Running            1 (34m ago)      58m
system-monitor-deployment-7d665b6fdf-92p5n        0/1     CrashLoopBackOff   15 (3m18s ago)   58m

This is the output of kubectl describe pod

[bart@localhost kubernetes-goat]$ kubectl describe pod system-monitor-deployment-7d665b6fdf-92p5n
Name:             system-monitor-deployment-7d665b6fdf-92p5n
Namespace:        default
Priority:         0
Service Account:  default
Node:             minikube/192.168.49.2
Start Time:       Fri, 08 Sep 2023 15:20:40 +0200
Labels:           app=system-monitor
                  pod-template-hash=7d665b6fdf
Annotations:      <none>
Status:           Running
IP:               10.244.0.21
IPs:
  IP:           10.244.0.21
Controlled By:  ReplicaSet/system-monitor-deployment-7d665b6fdf
Containers:
  system-monitor:
    Container ID:   docker://5ef985cda06081bd7ccbf0d3495496361cea08f387fab9f71159b32aaf4077ef
    Image:          madhuakula/k8s-goat-system-monitor
    Image ID:       docker-pullable://madhuakula/k8s-goat-system-monitor@sha256:06b58bd080201ea0d4048befdd2159f384b61ce457a5a96e3001db629b5caa40
    Port:           8080/TCP
    Host Port:      0/TCP
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Fri, 08 Sep 2023 16:26:04 +0200
      Finished:     Fri, 08 Sep 2023 16:26:04 +0200
    Ready:          False
    Restart Count:  17
    Limits:
      cpu:     20m
      memory:  50Mi
    Requests:
      cpu:     20m
      memory:  50Mi
    Environment:
      K8S_GOAT_VAULT_KEY:  <set to the key 'k8sgoatvaultkey' in secret 'goatvault'>  Optional: false
    Mounts:
      /host-system from host-filesystem (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-qthvk (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  host-filesystem:
    Type:          HostPath (bare host directory volume)
    Path:          /
    HostPathType:
  kube-api-access-qthvk:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   Guaranteed
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason          Age                    From               Message
  ----     ------          ----                   ----               -------
  Normal   Scheduled       67m                    default-scheduler  Successfully assigned default/system-monitor-deployment-7d665b6fdf-92p5n to minikube
  Normal   Pulled          66m                    kubelet            Successfully pulled image "madhuakula/k8s-goat-system-monitor" in 4.636044887s (57.85430525s including waiting)
  Normal   Pulled          66m                    kubelet            Successfully pulled image "madhuakula/k8s-goat-system-monitor" in 1.197244245s (6.398591877s including waiting)
  Normal   Pulled          65m                    kubelet            Successfully pulled image "madhuakula/k8s-goat-system-monitor" in 1.198137167s (1.198149793s including waiting)
  Normal   Created         65m (x4 over 66m)      kubelet            Created container system-monitor
  Normal   Pulled          65m                    kubelet            Successfully pulled image "madhuakula/k8s-goat-system-monitor" in 1.187372558s (1.187406391s including waiting)
  Normal   Started         65m (x4 over 66m)      kubelet            Started container system-monitor
  Normal   Pulling         64m (x5 over 67m)      kubelet            Pulling image "madhuakula/k8s-goat-system-monitor"
  Normal   Pulled          64m                    kubelet            Successfully pulled image "madhuakula/k8s-goat-system-monitor" in 1.204099164s (1.204142997s including waiting)
  Warning  BackOff         52m (x64 over 65m)     kubelet            Back-off restarting failed container system-monitor in pod system-monitor-deployment-7d665b6fdf-92p5n_default(2b5b82d0-131c-4d35-8b7c-45ca43f15ab1)
  Warning  Failed          47m                    kubelet            Failed to pull image "madhuakula/k8s-goat-system-monitor": rpc error: code = Unknown desc = Error response from daemon: Get "https://registry-1.docker.io/v2/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  Normal   SandboxChanged  28m                    kubelet            Pod sandbox changed, it will be killed and re-created.
  Normal   Pulled          28m                    kubelet            Successfully pulled image "madhuakula/k8s-goat-system-monitor" in 1.170037784s (6.733465063s including waiting)
  Normal   Pulled          28m                    kubelet            Successfully pulled image "madhuakula/k8s-goat-system-monitor" in 1.139940465s (1.139953464s including waiting)
  Normal   Pulled          27m                    kubelet            Successfully pulled image "madhuakula/k8s-goat-system-monitor" in 3.144573825s (3.144595783s including waiting)
  Normal   Pulling         26m (x4 over 28m)      kubelet            Pulling image "madhuakula/k8s-goat-system-monitor"
  Normal   Created         26m (x4 over 28m)      kubelet            Created container system-monitor
  Normal   Started         26m (x4 over 28m)      kubelet            Started container system-monitor
  Normal   Pulled          26m                    kubelet            Successfully pulled image "madhuakula/k8s-goat-system-monitor" in 1.158015604s (1.158047562s including waiting)
  Warning  BackOff         3m29s (x116 over 28m)  kubelet            Back-off restarting failed container system-monitor in pod system-monitor-deployment-7d665b6fdf-92p5n_default(2b5b82d0-131c-4d35-8b7c-45ca43f15ab1)

And kubectl logs is showing:

exec /usr/local/bin/gotty: exec format error

Any ideas how to fix this or further troubleshoot the issue?

Hi there @madhuakula

What if we rename the scenario folder name to:

00-...
01-...
02-...
...
11-...

so it's easier to see when we sort it.

This is #minor amd #noturgent

After I run setup-kubernetes-goat.sh script, all pods are in running state except of Health Check Deployment pod. I see error "MountVolume.SetUp failed for volume "docker-sock-volume" : hostPath type check failed: /var/run/docker.sock is not a file" in dashboard. The pod is in stuck in ContainerCreating state.

Env config:
Windows 10 Home, WSL2, Docker for Desktop, Ubuntu-18.04, Minikube (v1.16.0).

Would love to play with this on arm64 using a local raspberry pi 4 / clusterhat / raspberry pi zero 2Ws.

Any chance of an alternative build stream for arm / arm64?