Sign in Subscribe

Running Kubernetes Goat on a Raspberry Pi Cluster: Fun, Chaos, and Learning Kubernetes Security

Last updated on 

After building a Raspberry Pi Kubernetes cluster with ClusterHAT, one of the most entertaining and educational workloads to deploy is Kubernetes Goat.

If you haven’t come across it before, Kubernetes Goat is an intentionally vulnerable Kubernetes environment designed for learning Kubernetes security concepts through hands-on exploitation and investigation.

And honestly? It’s an incredibly fun thing to run on a tiny Raspberry Pi cluster.

There’s something uniquely satisfying about using a cluster of low-powered ARM devices to simulate:

  • Container escapes
  • Misconfigured RBAC
  • Vulnerable workloads
  • Exposed dashboards
  • Secret leaks
  • Kubernetes privilege escalation

It turns your mini home lab into a practical Kubernetes security playground. I also helped port Kubernetes Goat to arm64, so I have a soft spot for the application.

Why Kubernetes Goat Works So Well on Raspberry Pi

K3s on Raspberry Pi is already lightweight and efficient, which makes it ideal for:

  • Home labs
  • Security experimentation
  • Learning Kubernetes internals
  • Testing monitoring and scanning tools

Kubernetes Goat fits perfectly because:

  • The workloads are intentionally simple
  • Most scenarios are lightweight
  • It gives you real Kubernetes attack surfaces to explore

And because the cluster is physically yours, you can break things without worrying about cloud costs or destroying production infrastructure.

Deploying Kubernetes Goat

First, clone the repository:

git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat

Deploy the environment:

bash ./setup-kubernetes-goat.sh

Check the pods:

kubectl get pods -A

Once done, we need to be able to access the cluster locally by running:

bash ./access-kubernetes-goat.sh

Depending on the Raspberry Pi model and SD card speeds, it may take a few minutes for everything to start.

Resource Constraints on Raspberry Pi

One thing you’ll quickly notice is that Raspberry Pi clusters force you to think about resources carefully.

Kubernetes Goat includes multiple vulnerable workloads, and running all scenarios simultaneously can:

  • Consume memory quickly
  • Stress slower SD cards
  • Increase startup time

A few tips:

  • Use lightweight OS images
  • Avoid unnecessary background services
  • Scale deployments down when not in use
  • Use NFS-backed storage where possible

This actually becomes part of the learning experience—understanding Kubernetes scheduling and resource management under constraints.

Exposing the Scenarios Externally

One of the best parts of running Kubernetes Goat is connecting external tools to the vulnerable applications.

This lets you experiment with:

  • OWASP ZAP
  • Burp Suite
  • Nmap
  • kube-hunter
  • Trivy
  • Nikto
  • Custom scripts

To do that, we need to expose services outside the cluster.

Option 1: NodePort Services

The simplest method is using NodePort.

Example:

apiVersion: v1
kind: Service
metadata:
  name: vulnerable-app
spec:
  type: NodePort
  selector:
    app: vulnerable-app
  ports:
    - port: 80
      targetPort: 80
      nodePort: 30080

Apply it:

kubectl apply -f service.yaml

Now the service becomes accessible via:

http://<raspberry-pi-ip>:30080

This is the easiest option for home lab environments.

Option 2: Ingress with Traefik

Because K3s ships with Traefik by default, you can also expose scenarios through an ingress controller.

Example ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: goat-ingress
spec:
  rules:
    - host: goat.local
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: vulnerable-app
                port:
                  number: 80

This approach is cleaner and makes it easier to expose multiple scenarios simultaneously.

You can then map DNS locally using:

  • /etc/hosts
  • Pi-hole
  • Local DNS servers

Security Warning (Seriously)

Kubernetes Goat is intentionally vulnerable.

Do not expose it directly to the public internet unless you fully understand the risks.

Recommended setup:

  • Keep it on a private VLAN
  • Restrict access via firewall rules
  • Use it only inside your lab network
  • Tear it down when finished experimenting

Treat it like malware research infrastructure.

Fun Experiments to Try

Once Kubernetes Goat is running, the fun really begins.

1. Run kube-hunter Against Your Cluster

See what a Kubernetes attacker would discover automatically.

kubectl run kube-hunter \
  --image=aquasec/kube-hunter \
  -- --remote <cluster-ip>

2. Scan Containers with Trivy

Look for vulnerable packages and misconfigurations.

trivy image vulnerable-image

3. Explore RBAC Misconfigurations

One of the best learning exercises is understanding how overly permissive service accounts can lead to privilege escalation.

Kubernetes Goat demonstrates this brilliantly.

4. Test Network Policies

Try isolating vulnerable workloads using Kubernetes Network Policies.

This is a fantastic way to learn:

  • East-west traffic control
  • Pod isolation
  • Namespace segmentation

5. Add Monitoring

Deploy:

  • Prometheus
  • Grafana
  • Loki

Then watch what happens during scans and exploitation attempts.

This turns your tiny cluster into a miniature SOC environment.

Why This Is Such a Great Learning Platform

A Raspberry Pi cluster changes the feel of Kubernetes learning.

Instead of abstract cloud infrastructure, you can:

  • Physically touch the nodes
  • Watch LEDs blink during workloads
  • Hear SD cards struggle under load
  • Experiment freely without cloud bills

Adding Kubernetes Goat takes it one step further by turning your cluster into a deliberately insecure environment for:

  • Offensive security learning
  • Kubernetes troubleshooting
  • Observability practice
  • Container security experimentation

It’s practical, inexpensive, and surprisingly addictive.

Suggested Future Additions

Once you’ve mastered Kubernetes Goat, consider adding:

  • Falco runtime detection
  • Cilium networking
  • ArgoCD
  • Flux
  • Istio
  • Cert-manager
  • External Secrets
  • Longhorn storage
  • MetalLB for load balancing

Each one teaches another layer of Kubernetes operations and security.

Final Thoughts

Kubernetes Goat on Raspberry Pi is one of those projects that perfectly balances:

  • Learning
  • Security
  • Automation
  • Experimentation
  • Pure nerdy fun

You end up with a platform that teaches real Kubernetes concepts while also encouraging curiosity and exploration.

And the best part is that it all runs on a cluster small enough to sit on your desk.

About the author

Tim Wilkes is a UK-based security architect with over 15 years of experience in electronics, Linux, and Unix systems administration. Since 2021, he's been designing secure systems for a telecom company while indulging his passions for programming, automation, and 3D printing. Tim shares his projects, tinkering adventures, and tech insights here - partly as a personal log, and partly in the hopes that others will find them useful.

Want to connect or follow along?

LinkedIn: [phpsytems]
Twitter / X: [@timmehwimmy]
Mastodon: [@timmehwimmy@infosec.exchange]


If you've found a post helpful, consider supporting the blog - it's a part-time passion that your support helps keep alive.

⚠️ Disclaimer

This post may contain affiliate links. If you choose to purchase through them, I may earn a small commission at no extra cost to you. I only recommend items and services I’ve personally read or used and found valuable.

As an Amazon Associate I earn from qualifying purchases.