A deliberately insecure Kubernetes application designed to test and evaluate security tools against common misconfigurations and vulnerabilities.
A full insecure kubernetes application for testing security tools
This tool is used by security professionals and developers to deploy a Kubernetes environment with intentionally insecure configurations, enabling them to test the effectiveness of cloud configuration scanners, container scanning tools, and security automation workflows. It helps validate security tools by providing a reproducible, vulnerable Kubernetes setup on AWS EKS.
This tool requires AWS credentials with sufficient permissions to create and manage EKS clusters and IAM policies. Users should be cautious as the deployed applications are intentionally insecure and may expose sensitive data or allow privilege escalation. It is recommended to deploy in isolated or test AWS accounts and destroy resources promptly after use to minimize costs and security risks.
Install Terraform, Helm, AWS CLI, and eksctl
Configure a valid AWS user with necessary permissions
Navigate to the terraform directory: cd terraform
Run terraform init, terraform plan, and terraform apply to create the EKS cluster
Update kubeconfig with the new EKS cluster details using aws eks update-kubeconfig
Grant your AWS user AmazonEKSAdminPolicy and AmazonEKSClusterAdminPolicy permissions
Navigate to the helm chart directory: cd ../insecure-chart/
Deploy the insecure app and related pods using helm install insecure-app . --create-namespace --namespace=insecure-app
Destroy the Terraform deployment after testing with terraform destroyterraform init
Initializes the Terraform working directory and downloads provider plugins.
terraform plan
Generates and shows an execution plan for creating the EKS cluster.
terraform apply
Applies the Terraform plan to create the EKS cluster and node groups.
aws eks --region $(terraform output -raw region) update-kubeconfig --name $(terraform output -raw cluster_name)
Updates the local kubeconfig file to connect to the newly created EKS cluster.
helm install insecure-app . --create-namespace --namespace=insecure-app
Deploys the insecure Kubernetes application and supporting pods into the cluster.
kubectl get pods -n insecure-app
Lists all pods running in the insecure-app namespace.
kubectl port-forward pod/[POD-NAME] 8080:8080 -n insecure-app
Forwards local port 8080 to the insecure app pod, enabling browser-based testing.
kubectl exec -it [POD-NAME] -n insecure-app -- /bin/bash
Opens an interactive shell inside a pod for manual testing and evaluation.
pwsh
Starts PowerShell inside the pod to run workload security evaluation commands.
Invoke-AtomicTest T1105-27 -ShowDetails
Runs a specific atomic test within the workload security evaluator pod to simulate attack techniques.
terraform destroy
Deletes all resources created by Terraform to avoid ongoing costs.