Tiller (Helm V2) deployment is accessible from within the cluster

Description

Tiller (Helm v2) is the in-cluster component of Helm. It interacts directly with the Kubernetes API server to install, upgrade, query, and remove Kubernetes resources. It also stores the objects that represent releases. Its permissive configuration could grant the users a broad range of permissions. Helm v3 removes Tiller, and it is recommended that you upgrade: see link:doc:bc_k8s_32[Ensure Tiller (Helm V2) Is Not Deployed]. However, this is not always feasible. Restricting access to Tiller from within the cluster limits the abilities of a compromised pod or anonymous user in the cluster.

Code Example

shell

{
 "kubectl -n kube-system patch deployment tiller-deploy --patch '
spec:
  template:
    spec:
      containers:
        - name: tiller
          ports: []
          args: ["--listen=localhost:44134"]
'",
}

Remediation

CLI Command*

Rule Details

Field	Value
ID	IAC-1123
Severity	LOW
IaC Type	Kubernetes
Frameworks	Kubernetes,
Checkov ID	CKV_K8S_45

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Tiller (Helm V2) deployment is accessible from within the cluster

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Tiller (Helm V2) deployment is accessible from within the cluster ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Tiller (Helm V2) deployment is accessible from within the cluster

Description

Code Example

Remediation

Rule Details

References