The total number of misconfigurations and vulnerabilities in the Kubernetes-goat environment

[ijewelmas]

Hello,

I was interested to understand the total number of intended misconfigurations and vulnerabilities in Kubernetes-goat environment. It will be great to have this information in order to understand which tool is able to capture most number of misconfigurations/vulnerabilities.

Thanks in advance !

[fadao23]

+1.
I saw on "kubernetes-goat/guide/docs/security-reports/" that some reports have been updated, but without a baseline of vulnerabilities, we can't know if the tools are efficient or not.

[madhuakula]

Makes a lot of sense. Let me document in a draft and share with you all and see if anything I missed and we can improve over the time. Will work on this this week, @fadao23 @ijewelmas appreciate any suggestions, inputs about format.

[za]

Hi @madhuakula maybe I can try to help. So we need to put the risk level on each scenarios here?

1. Sensitive keys in codebases
2. DIND (docker-in-docker) exploitation
3. SSRF in the Kubernetes (K8S) world
4. Container escape to the host system
5. Docker CIS benchmarks analysis
6. Kubernetes CIS benchmarks analysis
7. Attacking private registry
8. NodePort exposed services
9. Helm v2 tiller to PwN the cluster - [Deprecated]
10. Analyzing crypto miner container
11. Kubernetes namespaces bypass
12. Gaining environment information
13. DoS the Memory/CPU resources
14. Hacker container preview
15. Hidden in layers
16. RBAC least privileges misconfiguration
17. KubeAudit - Audit Kubernetes clusters
18. Falco - Runtime security monitoring & detection
19. Popeye - A Kubernetes cluster sanitizer
20. Secure network boundaries using NSP
21. Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement
22. Securing Kubernetes Clusters using Kyverno Policy Engine

or it's not like that? As each scenario might contain varied vulnerabilities & misconfigurations. CMIIW.

[madhuakula]

Appreciate it if you have some ideas on how we can do this, @za. Let's discuss this here before moving forward with implementation.

Basically, we need to capture the list of vulnerabilities, misconfigurations, etc., in each scenario and flag them in a testable way using tools like Checkov, KICS, Kubescape, etc. against our Kubernetes Goat project. This way, we can ensure that we can map them to the Kubernetes Goat framework list of vulnerabilities and what these tools are able to find/identify.

Finally, we can create a matrix something like https://github.com/tsale/EDR-Telemetry?tab=readme-ov-file#telemetry-comparison-table