madhuakula/kubernetes-goat

Defence scenarios for the existing scenarios

Open

#17 opened on Sep 1, 2020

View on GitHub
 (1 comment) (1 reaction) (1 assignee)HTML (3,738 stars) (648 forks)batch import
documentationenhancementgood first issuehelp wanted

Description

Defence scenarios for the below scenarios

  • Sensitive keys in code bases
  • DIND(docker-in-docker) exploitation
  • SSRF in K8S world
  • Container escape to access host system
  • Docker CIS Benchmarks analysis
  • Kubernetes CIS Benchmarks analysis
  • Attacking private registry
  • NodePort exposed services
  • Helm v2 tiller to PwN the cluster
  • Analysing crypto miner container
  • Kubernetes Namespaces bypass
  • Gaining environment information
  • DoS the memory/cpu resources

Contributor guide

Tech stack
dockerkubernetesshell
Domain
securitydevopscloud
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Kubernetes basicsDocker security conceptsKnowledge of attack scenarios
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Review the existing attack scenarios in the repository (e.g., scenario files in scenarios/ directory). For each attack listed (sensitive keys, DIND exploitation, SSRF, etc.), research and document defence mechanisms. Look for any linked issues or comments for guidance. The assignee may have initial ideas. Provide step by step mitigation instructions suitable for the Kubernetes Goat environment.