Tiller Deployment Is Accessible From Within The Cluster
- Query id: e17fa86a-6222-4584-a914-56e8f6c87e06
- Query name: Tiller Deployment Is Accessible From Within The Cluster
- Platform: Kubernetes
- Severity: High
- Category: Networking and Firewall
- CWE: 286
- URL: Github
Description¶
Check if any Tiller Deployment container allows access from within the cluster.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: helm
name: tiller
name: tiller-bad-args
spec:
selector:
matchLabels:
name: tiller
template:
metadata:
labels:
app: helm
name: tiller
spec:
containers:
-
args:
- "--listen=10.7.2.8:44134"
image: tiller-image
name: tiller-v2
ports:
-
containerPort: 44134
name: tiller
protocol: TCP
-
containerPort: 44135
name: http
protocol: TCP
serviceAccountName: tiller
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: helm
name: tiller
name: tiller-deploy-no-args
spec:
selector:
matchLabels:
name: tiller
template:
metadata:
labels:
app: helm
name: tiller
spec:
containers:
-
name: tiller-v2
image: tiller-image
serviceAccountName: tiller
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: tiller-deploy
labels:
app: helm
name: tiller
spec:
selector:
matchLabels:
app: helm
name: tiller
template:
metadata:
labels:
app: helm
name: tiller
spec:
serviceAccountName: tiller
containers:
- name: tiller
image: "tiller-image"
args: ["--listen=127.0.0.1:44134"]
ports:
- containerPort: 44134
name: tiller
protocol: TCP
- containerPort: 44135
name: http
protocol: TCP