About CTFGarden

CTFGarden is an open-source Kubernetes-based server designed for hosting Jeopardy-style Capture The Flag (CTF) competitions. It provides a scalable and flexible platform for CTF organizers to create and manage their events efficiently.

Basic design

• The server is built using Kubernetes to ensure high availability and scalability.
• Challenges and event metadata are stored in a Git repository using a subset of docker-compose syntax, extended with some custom fields for CTF-specific metadata.
• Users are managed using a PostgreSQL database, and authentication is handled via JWT tokens.
• Each user gets their own instance of challenges, which are deployed as an isolated namespace in Kubernetes. Challenges are isolated from each other using network policies.
• Challenge authors get a service account that allows them to interact with all instances of their challenges.
• Challenges can expose TCP (exposed via TLS so we can use SNI) and HTTP (exposed via HTTPS with a custom hostname) services.

Non-goals

These are things we intentionally do not want to support in CTFGarden.

Use CRDs to manage CTFs and challenges

While using Kubernetes Custom Resource Definitions (CRDs) to manage CTFs and challenges might seem like a natural fit, I consider it unnecessary complexity from a user perspective. A simple git repository is easier to use and challenge authors can use a format they are already familiar with (docker-compose) with some minor extensions. In addition, it allows the exports of source code for users to be very similar to what the platform sees.

Allowing privileged access for pods, hostPath volumes, or custom Kubernetes resources

This is not a goal because it would be a security risk. Allowing privileged access would make it easier for attackers to escape the challenge environment and potentially compromise the entire cluster. By not allowing privileged access, we can better isolate challenges and protect the underlying infrastructure.

Future goals

The following things are on the roadmap for CTFGarden, but are not yet implemented:

• IPv6 support (+ UDP support)
• Use the Gateway API instead of Traefik's CRDs
• Automatic builds of containers

Similar projects

Here are similar open source projects that you might want to check out if you think CTFGarden might not be the right fit for your needs:

• CTFd: A popular open-source CTF platform that is easy to set up and use.
• Berg: A CTF platform built on top of Kubernetes. Unlike CTFGarden, Berg uses Kubernetes Custom Resource Definitions (CRDs) to manage CTFs and challenges.