Disallow Helm Tiller in CEL expressions

Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons. This policy validates that there is not an image containing the name `tiller`.

Policy Definition

/best-practices-cel/disallow-helm-tiller/disallow-helm-tiller.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-helm-tiller
 5  annotations:
 6    policies.kyverno.io/title: Disallow Helm Tiller in CEL expressions
 7    policies.kyverno.io/category: Sample in CEL 
 8    policies.kyverno.io/minversion: 1.11.0
 9    kyverno.io/kubernetes-version: "1.26-1.27"
10    policies.kyverno.io/severity: medium
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared
14      resource accessible to any authenticated user. Tiller can lead to privilege escalation as
15      restricted users can impact other users. It is recommend to use Helm v3+ which does not contain
16      Tiller for these reasons. This policy validates that there is not an image
17      containing the name `tiller`.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22    - name: validate-helm-tiller
23      match:
24        any:
25        - resources:
26            kinds:
27              - Pod
28            operations:
29            - CREATE
30            - UPDATE
31      validate:
32        cel:
33          expressions:
34            - expression: "object.spec.containers.all(container, !container.image.contains('tiller'))"
35              message: "Helm Tiller is not allowed"

Create policy issue