Risks

HELM is a powerful tool for managing Kubernetes applications, enabling quick installation and uninstallation of applications within the cluster. However, it also introduces potential risks that need to be mitigated through proper permissions and user restrictions.

Potential Risks with HELM

Uncontrolled Application Deletion:

The command helm delete $(helm list | head -n 2 | tail -n 1 | awk '{print $1}') deletes the first application listed by helm list. A simple loop can be used to delete all applications, leading to potential disruptions and loss of service.

Sensitive Operations:

HELM can deploy entire applications, making it crucial to control which images and configurations are used to prevent unauthorized or insecure deployments.

Mitigation Measures

To secure HELM usage and prevent malicious or accidental deletions or modifications, implement the following measures:

Restrict HELM Commands:

Restrict the use of HELM commands to only those users who absolutely need it. Ensure that only administrators with sudo privileges can execute HELM commands.

Limit Access to helm list:

Restrict access to the helm list command to prevent unauthorized users from viewing or manipulating the list of installed applications. This can be done using RBAC policies.

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

  namespace: default

  name: helm-reader

rules:

- apiGroups: ["helm.sh"]

  resources: ["releases"]

  verbs: ["get", "list"]

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

  name: read-helm-releases

  namespace: default

subjects:

- kind: User

  name: jane

  apiGroup: rbac.authorization.k8s.io

roleRef:

  kind: Role

  name: helm-reader

  apiGroup: rbac.authorization.k8s.io

Control Image Sources:

Ensure that only images from trusted local registries are deployed. Implement measures like M009 to enforce image policies and M005 to prevent unwanted communications.

Audit and Monitor HELM Usage:

Monitor and audit the use of HELM commands. Keep logs of who executed which commands and when, and alert administrators to any suspicious activity.

Consider Alternatives for Production:

In production environments, consider whether HELM is necessary or if alternatives can be used to reduce risk. If HELM must be used, ensure it is properly secured and restricted.

Implement Role-Based Access Control (RBAC):

Use RBAC to define clear permissions for HELM usage, ensuring that only authorized personnel can deploy, modify, or delete applications.

Multi-Factor Authentication (MFA):

Require MFA for accessing systems where HELM commands can be executed. This adds an additional layer of security to prevent unauthorized use.

Example of Restricting HELM Usage with sudo

To ensure that HELM can only be executed with sudo, you can modify the sudoers file:

• sudo visudo

Add the following lines to restrict HELM usage:

• Cmnd_Alias HELM_CMDS = /usr/local/bin/helm

• %admin ALL=(ALL) NOPASSWD: HELM_CMDS

This configuration allows only users in the admin group to execute HELM commands with sudo, ensuring better control over its usage.