Microsoft has issued a warning about the security dangers associated with default settings in Kubernetes deployments especially those that use Helm charts straight out of the box.
These configurations, often deployed without modifications, can inadvertently expose sensitive data to the public internet.
According to a report from Microsoft Defender for Cloud Research, authored by security experts Michael Katchinskiy and Yossi Weizman, many default Helm charts lack essential protections. Common issues include unauthenticated access, open and exploitable ports, and weak or hardcoded passwords that are easy to crack.
Kubernetes is a leading open-source platform for automating the deployment, scaling, and management of containerized applications. Helm, a popular package manager for Kubernetes, uses "charts" as blueprints for deploying applications. These charts include YAML configuration files that define the necessary resources.
While Helm charts offer convenience by simplifying complex deployments, they often come with default settings that overlook critical security measures. The report warns that users who are unfamiliar with cloud security may deploy these charts without reviewing them, leaving services unintentionally exposed to the internet.
“Default configurations that lack proper security controls create a severe security threat,” Microsoft researchers noted. “Organizations may unknowingly deploy applications without any protection, opening the door to attackers especially when those apps can interact with sensitive APIs or perform administrative actions.”
The researchers detailed three real-world examples of insecure Helm chart deployments:
- Apache Pinot: Key services (pinot-controller and pinot-broker) are exposed via Kubernetes LoadBalancer services with no authentication.
- Meshery: Public sign-up is enabled by default, allowing unauthorized users to register and access cluster operations.
- Selenium Grid: Uses a NodePort that exposes the service across all cluster nodes, relying solely on external firewalls for protection. This issue isn’t present in the official chart but exists in several widely used third-party GitHub versions.
In the case of Selenium Grid, misconfigurations have previously been exploited by attackers to install cryptocurrency miners like XMRig and mine Monero.
To reduce risk, Microsoft recommends that organizations:
- Thoroughly review Helm chart configurations for security best practices before deployment.
- Implement authentication and network isolation.
- Conduct regular scans to detect misconfigurations that expose workloads to the internet.
- Continuously monitor containers for suspicious behavior.
By proactively securing Kubernetes deployments, organizations can prevent attackers from exploiting overlooked default settings.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
