Disallow Helm Tiller

Tiller has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users.

Policy Definition

/best-practices/disallow_helm_tiller.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-helm-tiller
  annotations:
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/description: >-
      Tiller has known security challenges. It requires administrative privileges and 
      acts as a shared resource accessible to any authenticated user. Tiller can lead 
      to privilege escalation as restricted users can impact other users.
spec:
  validationFailureAction: audit
  rules:
  - name: validate-helm-tiller
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Helm Tiller is not allowed."  
      pattern:
        spec:
          containers:
          - image: "!*tiller*"
Last modified January 2, 2021: fix titles (9a0d72f)