Risks
Avoiding risks with HELM
HELM is a powerful tool for managing Kubernetes applications, enabling quick installation and uninstallation of applications within the cluster. However, it also introduces potential risks that need to be mitigated through proper permissions and user restrictions.
Potential Risks with HELM
Uncontrolled Application Deletion:
The command helm delete $(helm list | head -n 2 | tail -n 1 | awk '{print $1}')
deletes the first application listed by helm list. A simple loop can be used to delete all applications, leading to potential disruptions and loss of service.
Sensitive Operations:
HELM can deploy entire applications, making it crucial to control which images and configurations are used to prevent unauthorized or insecure deployments.
Mitigation Measures
To secure HELM usage and prevent malicious or accidental deletions or modifications, implement the following measures:
Restrict HELM Commands:
Restrict the use of HELM commands to only those users who absolutely need it. Ensure that only administrators with sudo privileges can execute HELM commands.
Limit Access to helm list:
Restrict access to the helm list command to prevent unauthorized users from viewing or manipulating the list of installed applications. This can be done using RBAC policies.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: helm-reader
rules:
- apiGroups: ["helm.sh"]
resources: ["releases"]
verbs: ["get", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-helm-releases
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: helm-reader
apiGroup: rbac.authorization.k8s.io
Control Image Sources:
Ensure that only images from trusted local registries are deployed. Implement measures like M009 to enforce image policies and M005 to prevent unwanted communications.
Audit and Monitor HELM Usage:
Monitor and audit the use of HELM commands. Keep logs of who executed which commands and when, and alert administrators to any suspicious activity.
Consider Alternatives for Production:
In production environments, consider whether HELM is necessary or if alternatives can be used to reduce risk. If HELM must be used, ensure it is properly secured and restricted.
Implement Role-Based Access Control (RBAC):
Use RBAC to define clear permissions for HELM usage, ensuring that only authorized personnel can deploy, modify, or delete applications.
Multi-Factor Authentication (MFA):
Require MFA for accessing systems where HELM commands can be executed. This adds an additional layer of security to prevent unauthorized use.
Example of Restricting HELM Usage with sudo
To ensure that HELM can only be executed with sudo, you can modify the sudoers file:
-
sudo visudo
Add the following lines to restrict HELM usage:
-
Cmnd_Alias HELM_CMDS = /usr/local/bin/helm
-
%admin ALL=(ALL) NOPASSWD: HELM_CMDS
This configuration allows only users in the admin group to execute HELM commands with sudo, ensuring better control over its usage.