Access tiller endpoint

Framework

YAML-scanning, AllControls, MITRE

Severity

Medium

Description of the the issue

Helm is a popular package manager for Kubernetes maintained by CNCF. Tiller is the server-side component of Helm up to version 2. Tiller exposes internal gRPC endpoint in the cluster, listens to port 44134. By default, this endpoint does not require authentication. Attackers may run code on any container that is accessible to the tiller’s service and perform actions in the cluster, using the tiller’s service account, which often has high privileges.

Related resources

Deployment

What does this control test

Check if tiller exists in any namespace by verifying the name of Deployments.

Remediation

Use version higher than 2 of Helm which doesn’t use Tiller

Example

No example