I’ve been playing around with K8s and it is so attractive to just utter ​helm install stable/wordpress and get a running WordPress installation.

But https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/ warns us that you can get into real trouble here because tiller which is the server side piece of helm is unprotected, so any exploited pod can get access to the entire cluster.

The solution seems to be to use helm on the client side and emit the kubernetes files into a github repo and then you have something that is reproducible. Helm actually allows the export of helm into native K8s YAML pretty easily. And this leaves you with no server side vulnerabilities in the orchestrator

I’m Rich & Co.

Welcome to Tongfamily, our cozy corner of the internet dedicated to all things technology and interesting. Here, we invite you to join us on a journey of tips, tricks, and traps. Let’s get geeky!

Let’s connect