Attacking Default Installs of Helm on Kubernetes(blog.ropnop.com)
blog.ropnop.com
Attacking Default Installs of Helm on Kubernetes
https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/
12 comments
I think we are going to start seeing quite a lot more 'k8s is insecure' posts in the future (not that we haven't seen quite a bit this past year alone).
Helm 3 removes the server side component and it inherits permissions from your .kube/config. It is in beta now, I really need to give it a spin.
+1, we're looking at it with OpenFaaS - https://github.com/openfaas/faas-netes/issues/520
I believe AWS has a good guide on setting up a “secure” Helm deployment running Tiller locally using EKS:
https://docs.aws.amazon.com/eks/latest/userguide/helm.html
https://docs.aws.amazon.com/eks/latest/userguide/helm.html
The projects own documentation has always made the steps required for secure deployment pretty clear too https://helm.sh/docs/using_helm/#securing-your-helm-installa...
The issue is the server side tiller component. This is going away in Helm 3.
The issue is the server side tiller component. This is going away in Helm 3.
Setting up Helm seems to be part of a lot of "first steps" tutorial, and it makes a lot of sense, Helm is very helpful especially when starting out with K8S – I'm still in the starting-out phase and I find it very helpful. But for me, and possibly that audience in general, this document doesn't feel very actionable, it assumes quite a bit of in-depth knowledge, that I currently don't have yet. I realize that's part of the learning curve, but for a tool that's so popular and so easy to set up and run, it feels like it should be easier to find more newbie-friendly material on how to secure it properly (I haven't been able to find much). Things being as they are, I'd expect there to be a lot of insecure tiller installs on GKEs out there.
> doesn't feel very actionable, it assumes quite a bit of in-depth knowledge
Think you've hit the nail on the head there, it's a fair criticism.
Think you've hit the nail on the head there, it's a fair criticism.