Ensure Tiller (Helm V2) is not deployed

Error: Tiller (Helm V2) is deployed

Bridgecrew Policy ID: BC_K8S_32
Checkov Check ID: CKV_K8S_34
Severity: LOW

Tiller (Helm V2) is deployed

Description

Tiller (Helm v2) is the in-cluster component of Helm. It interacts directly with the Kubernetes API server to install, upgrade, query, and remove Kubernetes resources. It also stores the objects that represent releases. Its permissive configuration could grant the users a broad range of permissions.

New versions of Kubernetes and Helm v3 have made Tiller obsolete, with its over permissive function in existing workloads remaining a security liability.

Consider upgrading to use Helm v3, which only runs on client machines. Not all charts may support Helm 3, but the number that do is growing rapidly.

Fix - Runtime

CLI Command

helm reset

Or, use helm reset --force to force the removal if charts are installed. You still need to remove the releases manually.

Fix - Buildtime

Kubernetes

  • Resource: Container
  • Arguments:
    labels:app / name - specifies the app label for the pod
    image - defines the image used by the container
apiVersion: v1
kind: Pod
metadata:
  name: <name>
  labels:
-   app: helm
-   name: tiller
spec:
  containers:
  - name: <container name>
-   image: tiller