C-0033 - Access tiller endpoint
Access tiller endpoint
Framework
YAML-scanning, AllControls, MITRE
Severity
Medium
Description of the the issue
Helm is a popular package manager for Kubernetes maintained by CNCF. Tiller is the server-side component of Helm up to version 2. Tiller exposes internal gRPC endpoint in the cluster, listens to port 44134. By default, this endpoint does not require authentication. Attackers may run code on any container that is accessible to the tiller’s service and perform actions in the cluster, using the tiller’s service account, which often has high privileges.
Related resources
Deployment
What does this control test
Check if tiller exists in any namespace by verifying the name of Deployments.
Remediation
Use version higher than 2 of Helm which doesn’t use Tiller
Example
No example
Updated about 17 hours ago
Did this page help you?