{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreibsxzj2gjgjbz25hyyhys6kyppknwlc4736yhkpffzwv3kvjfjb7u",
"uri": "at://did:plc:5y2ps7xhcqmc2d63b73ui72s/app.bsky.feed.post/3mnfouclizva2"
},
"description": "Learn how to run Kubernetes Goat on a Raspberry Pi Kubernetes cluster, expose vulnerable scenarios externally, and experiment with Kubernetes security in a safe home lab environment.",
"path": "/running-kubernetes-goat-on-a-raspberry-pi-cluster-fun-chaos-and-learning-kubernetes-security/",
"publishedAt": "2026-06-03T18:00:35.000Z",
"site": "https://blog.php-systems.com",
"tags": [
"building a Raspberry Pi Kubernetes cluster with ClusterHAT"
],
"textContent": "After building a Raspberry Pi Kubernetes cluster with ClusterHAT, one of the most entertaining and educational workloads to deploy is **Kubernetes Goat**.\n\nIf you haven’t come across it before, Kubernetes Goat is an intentionally vulnerable Kubernetes environment designed for learning Kubernetes security concepts through hands-on exploitation and investigation.\n\nAnd honestly? It’s an incredibly fun thing to run on a tiny Raspberry Pi cluster.\n\nThere’s something uniquely satisfying about using a cluster of low-powered ARM devices to simulate:\n\n * Container escapes\n * Misconfigured RBAC\n * Vulnerable workloads\n * Exposed dashboards\n * Secret leaks\n * Kubernetes privilege escalation\n\n\n\nIt turns your mini home lab into a practical Kubernetes security playground. I also helped port Kubernetes Goat to arm64, so I have a soft spot for the application.\n\n* * *\n\n# Why Kubernetes Goat Works So Well on Raspberry Pi\n\nK3s on Raspberry Pi is already lightweight and efficient, which makes it ideal for:\n\n * Home labs\n * Security experimentation\n * Learning Kubernetes internals\n * Testing monitoring and scanning tools\n\n\n\nKubernetes Goat fits perfectly because:\n\n * The workloads are intentionally simple\n * Most scenarios are lightweight\n * It gives you real Kubernetes attack surfaces to explore\n\n\n\nAnd because the cluster is physically yours, you can break things without worrying about cloud costs or destroying production infrastructure.\n\n* * *\n\n# Deploying Kubernetes Goat\n\nFirst, clone the repository:\n\n\n git clone https://github.com/madhuakula/kubernetes-goat.git\n cd kubernetes-goat\n\nDeploy the environment:\n\n\n bash ./setup-kubernetes-goat.sh\n\nCheck the pods:\n\n\n kubectl get pods -A\n\nOnce done, we need to be able to access the cluster locally by running:\n\n\n bash ./access-kubernetes-goat.sh\n\nDepending on the Raspberry Pi model and SD card speeds, it may take a few minutes for everything to start.\n\n* * *\n\n# Resource Constraints on Raspberry Pi\n\nOne thing you’ll quickly notice is that Raspberry Pi clusters force you to think about resources carefully.\n\nKubernetes Goat includes multiple vulnerable workloads, and running all scenarios simultaneously can:\n\n * Consume memory quickly\n * Stress slower SD cards\n * Increase startup time\n\n\n\nA few tips:\n\n * Use lightweight OS images\n * Avoid unnecessary background services\n * Scale deployments down when not in use\n * Use NFS-backed storage where possible\n\n\n\nThis actually becomes part of the learning experience—understanding Kubernetes scheduling and resource management under constraints.\n\n* * *\n\n# Exposing the Scenarios Externally\n\nOne of the best parts of running Kubernetes Goat is connecting external tools to the vulnerable applications.\n\nThis lets you experiment with:\n\n * OWASP ZAP\n * Burp Suite\n * Nmap\n * kube-hunter\n * Trivy\n * Nikto\n * Custom scripts\n\n\n\nTo do that, we need to expose services outside the cluster.\n\n* * *\n\n# Option 1: NodePort Services\n\nThe simplest method is using `NodePort`.\n\nExample:\n\n\n apiVersion: v1\n kind: Service\n metadata:\n name: vulnerable-app\n spec:\n type: NodePort\n selector:\n app: vulnerable-app\n ports:\n - port: 80\n targetPort: 80\n nodePort: 30080\n\nApply it:\n\n\n kubectl apply -f service.yaml\n\nNow the service becomes accessible via:\n\n\n http://<raspberry-pi-ip>:30080\n\nThis is the easiest option for home lab environments.\n\n* * *\n\n# Option 2: Ingress with Traefik\n\nBecause K3s ships with Traefik by default, you can also expose scenarios through an ingress controller.\n\nExample ingress:\n\n\n apiVersion: networking.k8s.io/v1\n kind: Ingress\n metadata:\n name: goat-ingress\n spec:\n rules:\n - host: goat.local\n http:\n paths:\n - path: /\n pathType: Prefix\n backend:\n service:\n name: vulnerable-app\n port:\n number: 80\n\nThis approach is cleaner and makes it easier to expose multiple scenarios simultaneously.\n\nYou can then map DNS locally using:\n\n * `/etc/hosts`\n * Pi-hole\n * Local DNS servers\n\n\n\n* * *\n\n# Security Warning (Seriously)\n\nKubernetes Goat is intentionally vulnerable.\n\nDo **not** expose it directly to the public internet unless you fully understand the risks.\n\nRecommended setup:\n\n * Keep it on a private VLAN\n * Restrict access via firewall rules\n * Use it only inside your lab network\n * Tear it down when finished experimenting\n\n\n\nTreat it like malware research infrastructure.\n\n* * *\n\n# Fun Experiments to Try\n\nOnce Kubernetes Goat is running, the fun really begins.\n\n* * *\n\n## 1. Run kube-hunter Against Your Cluster\n\nSee what a Kubernetes attacker would discover automatically.\n\n\n kubectl run kube-hunter \\\n --image=aquasec/kube-hunter \\\n -- --remote <cluster-ip>\n\n* * *\n\n## 2. Scan Containers with Trivy\n\nLook for vulnerable packages and misconfigurations.\n\n\n trivy image vulnerable-image\n\n* * *\n\n## 3. Explore RBAC Misconfigurations\n\nOne of the best learning exercises is understanding how overly permissive service accounts can lead to privilege escalation.\n\nKubernetes Goat demonstrates this brilliantly.\n\n* * *\n\n## 4. Test Network Policies\n\nTry isolating vulnerable workloads using Kubernetes Network Policies.\n\nThis is a fantastic way to learn:\n\n * East-west traffic control\n * Pod isolation\n * Namespace segmentation\n\n\n\n* * *\n\n## 5. Add Monitoring\n\nDeploy:\n\n * Prometheus\n * Grafana\n * Loki\n\n\n\nThen watch what happens during scans and exploitation attempts.\n\nThis turns your tiny cluster into a miniature SOC environment.\n\n* * *\n\n# Why This Is Such a Great Learning Platform\n\nA Raspberry Pi cluster changes the feel of Kubernetes learning.\n\nInstead of abstract cloud infrastructure, you can:\n\n * Physically touch the nodes\n * Watch LEDs blink during workloads\n * Hear SD cards struggle under load\n * Experiment freely without cloud bills\n\n\n\nAdding Kubernetes Goat takes it one step further by turning your cluster into a deliberately insecure environment for:\n\n * Offensive security learning\n * Kubernetes troubleshooting\n * Observability practice\n * Container security experimentation\n\n\n\nIt’s practical, inexpensive, and surprisingly addictive.\n\n* * *\n\n# Suggested Future Additions\n\nOnce you’ve mastered Kubernetes Goat, consider adding:\n\n * Falco runtime detection\n * Cilium networking\n * ArgoCD\n * Flux\n * Istio\n * Cert-manager\n * External Secrets\n * Longhorn storage\n * MetalLB for load balancing\n\n\n\nEach one teaches another layer of Kubernetes operations and security.\n\n* * *\n\n# Final Thoughts\n\nKubernetes Goat on Raspberry Pi is one of those projects that perfectly balances:\n\n * Learning\n * Security\n * Automation\n * Experimentation\n * Pure nerdy fun\n\n\n\nYou end up with a platform that teaches real Kubernetes concepts while also encouraging curiosity and exploration.\n\nAnd the best part is that it all runs on a cluster small enough to sit on your desk.",
"title": "Running Kubernetes Goat on a Raspberry Pi Cluster: Fun, Chaos, and Learning Kubernetes Security",
"updatedAt": "2026-06-03T18:00:36.542Z"
}