C-0033 - Access tiller endpoint

Access tiller endpoint


MITRE, YAML-scanning, AllControls



Description of the the issue

Helm is a popular package manager for Kubernetes maintained by CNCF. Tiller is the server-side component of Helm up to version 2. Tiller exposes internal gRPC endpoint in the cluster, listens to port 44134. By default, this endpoint does not require authentication. Attackers may run code on any container that is accessible to the tiller’s service and perform actions in the cluster, using the tiller’s service account, which often has high privileges.

Related resources


What does this control test

Check if tiller exists in any namespace by verifying the name of Deployments.


Use version higher than 2 of Helm which doesn’t use Tiller


No example

Did this page help you?