Kubernetes and Helm Security


I’ve been playing around with K8s and it is so attractive to just utter ​helm install stable/wordpress and get a running WordPress installation.

But https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/ warns us that you can get into real trouble here because tiller which is the server side piece of helm is unprotected, so any exploited pod can get access to the entire cluster.

The solution seems to be to use helm on the client side and emit the kubernetes files into a github repo and then you have something that is reproducible. Helm actually allows the export of helm into native K8s YAML pretty easily. And this leaves you with no server side vulnerabilities in the orchestrator

Related Posts