Ensure Tiller (Helm v2) service is deleted

Error: Tiller (Helm v2) service is not deleted

Bridgecrew Policy ID: BC_K8S_41
Checkov Check ID: CKV_K8S_44
Severity: LOW

Tiller (Helm v2) service is not deleted

Description

Tiller (Helm v2) is the in-cluster component of Helm. It interacts directly with the Kubernetes API server to install, upgrade, query, and remove Kubernetes resources. It also stores the objects that represent releases. Its permissive configuration could grant the users a broad range of permissions.

Helm v3 removes Tiller, and it is recommended that you upgrade: see Ensure Tiller (Helm V2) Is Not Deployed. However, this is not always feasible.

Restricting access to Tiller from within the cluster limits the abilities of a compromised pod or anonymous user in the cluster.

After restricting connectivity to the Tiller deployment, the Tiller service can be deleted.

Fix - Runtime

CLI Commands

kubectl -n kube-system delete service tiller-deploy

Fix - Buildtime

Kubernetes

  • Resource: Service
-- apiVersion: v1
-  kind: Service
-  metadata:
-    labels:
-      app: helm
-      name: tiller
-    name: tiller-deploy
-    namespace: kube-system
-  spec:
-    ports:
-    - name: tiller
-      port: 44134
-      protocol: TCP
-      targetPort: tiller
-    selector:
-      app: helm
-      name: tiller
-    type: ClusterIP

Did this page help you?