Ensure Tiller (Helm V2) deployment is not accessible from within the cluster
Error: Tiller (Helm V2) deployment is accessible from within the cluster
Bridgecrew Policy ID: BC_K8S_40
Checkov Check ID: CKV_K8S_45
Tiller (Helm V2) deployment is accessible from within the cluster
Tiller (Helm v2) is the in-cluster component of Helm. It interacts directly with the Kubernetes API server to install, upgrade, query, and remove Kubernetes resources. It also stores the objects that represent releases. Its permissive configuration could grant the users a broad range of permissions.
Helm v3 removes Tiller, and it is recommended that you upgrade: see Ensure Tiller (Helm V2) Is Not Deployed. However, this is not always feasible.
Restricting access to Tiller from within the cluster limits the abilities of a compromised pod or anonymous user in the cluster.
Fix - Runtime
kubectl -n kube-system patch deployment tiller-deploy --patch ' spec: template: spec: containers: - name: tiller ports:  args: ["--listen=localhost:44134"] '
Fix - Buildtime
- Resource: Container
apiVersion: apps/v1 kind: Deployment metadata: name: tiller labels: app: tiller spec: progressDeadlineSeconds: 600 replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app: helm name: tiller template: metadata: creationTimestamp: null labels: app: helm name: tiller spec: automountServiceAccountToken: true containers: + - args: + - --listen=localhost:44134 env: - name: TILLER_NAMESPACE value: kube-system - name: TILLER_HISTORY_MAX value: "0" image: gcr.io/kubernetes-helm/tiller:v2.16.9 name: tiller - ports: - - containerPort: 44134 - name: tiller - protocol: TCP - - containerPort: 44135 - name: http - protocol: TCP
Updated 4 months ago