Deploying WebGoat on OpenShift

The following steps can be tested on the RedHat OpenShift Playground. Here you get a fully functional OpenShift environment for 1 hour.

The steps will show how to deploy a container from Docker Hub to a OpenShift cluster on the Cloud. OpenShift requires that a docker image is built according to some rules. Which are more or less enforces by the Security Context Constraints. For instance the image should not run with the root user and should have well-defined ports.

In my first attempt to deploy the webgoat/goatandwolf image on OpenShift, I stumbled on a access denied problem on writing the webgoat.log file. This is because the guideline for supporting arbitrary user id’s was not (yet) implemented.

Therefore, I will first show an example of a container image that is already OpenShift compliant.

The following steps can be done in the OpenShift PlayGround terminal environment.

oc login -u developer -p developer
oc new-project owasp-project
oc new-app bkimminich/juice-shop --name juice-shop-app
oc expose svc/juice-shop-app

In the OpenShift Playground you can go to the WebConsole in the developer perspective and click on the application to find the URL to the resource on the cloud.

That’s all to it in a already configured OpenShift environment.

In order to run WebGoat, an arbitrary user must be able to start the java process, write the log files and create the .webgoat* files which are used by both WebGoat and WebWolf. In order to do this, I added the


to the java start commands. And added the following two lines to the docker file:

RUN chgrp -R 0 /home/webgoat
RUN chmod -R g=u /home/webgoat

The following OpenShift command line deploys and exposes WebGoat:

oc login -u developer -p developer
oc new-project owasp
oc new-app webgoat/goatandwolf:openshift -e TZ=Europe/Amsterdam -e WEBGOAT_PORT=8080 --name webgoat-app
oc expose svc/webgoat-app --port 8080 --path=/WebGoat --name goatport

The endpoint will be something like: http://goatport-owasp……