
Attacking Default Installs of Helm on Kubernetes - alexellisuk
https://blog.ropnop.com/attacking-default-installs-of-helm-on-kubernetes/
======
dgoog
I think we are going to start seeing quite a lot more 'k8s is insecure' posts
in the future (not that we haven't seen quite a bit this past year alone).

~~~
xnxn
It would be unfair to put this post in that category. Helm is an unfortunately
popular third-party add-on with insecure defaults.

~~~
dgoog
it's still in the k8s ecosystem - the entire ecosystem is a disaster

------
colek42
Helm 3 removes the server side component and it inherits permissions from your
.kube/config. It is in beta now, I really need to give it a spin.

~~~
alexellisuk
+1, we're looking at it with OpenFaaS - [https://github.com/openfaas/faas-
netes/issues/520](https://github.com/openfaas/faas-netes/issues/520)

------
nodesocket
I believe AWS has a good guide on setting up a “secure” Helm deployment
running Tiller locally using EKS:

[https://docs.aws.amazon.com/eks/latest/userguide/helm.html](https://docs.aws.amazon.com/eks/latest/userguide/helm.html)

~~~
charlieegan3
The projects own documentation has always made the steps required for secure
deployment pretty clear too [https://helm.sh/docs/using_helm/#securing-your-
helm-installa...](https://helm.sh/docs/using_helm/#securing-your-helm-
installation)

The issue is the server side tiller component. This is going away in Helm 3.

~~~
dividedbyzero
Setting up Helm seems to be part of a lot of "first steps" tutorial, and it
makes a lot of sense, Helm is very helpful especially when starting out with
K8S – I'm still in the starting-out phase and I find it very helpful. But for
me, and possibly that audience in general, this document doesn't feel very
actionable, it assumes quite a bit of in-depth knowledge, that I currently
don't have yet. I realize that's part of the learning curve, but for a tool
that's so popular and so easy to set up and run, it feels like it should be
easier to find more newbie-friendly material on how to secure it properly (I
haven't been able to find much). Things being as they are, I'd expect there to
be a lot of insecure tiller installs on GKEs out there.

~~~
charlieegan3
> doesn't feel very actionable, it assumes quite a bit of in-depth knowledge

Think you've hit the nail on the head there, it's a fair criticism.

------
quaa55
operators.

~~~
alexellisuk
installed with helm :-D

