If you’ve ever used pre-made Helm charts to quickly set up applications in Kubernetes, you might want to double-check your security settings.
Microsoft has warned that using default Helm charts to deploy Kubernetes applications can expose organizations to cyberattacks. The tech giant’s Defender for Cloud team found that popular “out-of-the-box” templates often sacrifice security for ease of use, opening the door to unauthorized data access, code execution, and full cluster compromise.
“While these ‘plug-and-play’ options greatly simplify the setup process, they often prioritize ease of use over security,” said Michael Katchinskiy and Yossi Weizman, security researchers from Microsoft Defender for Cloud, in a blog post. “As a result, a large number of applications end up being deployed in a misconfigured state by default, exposing sensitive data, cloud resources, or even the entire environment to attackers.”
Real-world risks from templates
Helm charts are widely used for their speed and convenience. However, Microsoft’s research highlights a worrying trend: many of these templates, especially from open-source repositories, lack critical security controls by default.
One of the most alarming cases involved Apache Pinot, a distributed database used for real-time analytics. Microsoft discovered that Pinot’s official Helm chart exposes its primary services (pinot-broker and pinot-controller) to the public internet via Kubernetes LoadBalancer services. Worse still, authentication is not enabled by default.
“Recently, Microsoft Defender for Cloud identified several incidents in which attackers exploited misconfigured Apache Pinot workloads, allowing them to access the data of Apache Pinot users,” the researchers noted.
Meshery and Selenium Grid are also in the crosshairs
Meshery, a platform for managing cloud-native infrastructure, was another critical example. When installed using its official Helm chart, Meshery exposes its interface via an external IP address and lets anyone register a new user. This effectively allows outsiders to monitor cluster metrics and even deploy new pods.
“This isn’t just about data leaks,” warned Yossi Weizman. “Attackers who register as users can deploy malicious workloads, escalating privileges to take full control of nodes,” he told GBHackers.
Meanwhile, Selenium Grid, a widely used browser testing tool, was vulnerable due to third-party GitHub templates that exposed it through NodePort or LoadBalancer services.
“The combination of no authentication and internet exposure is catastrophic,” Michael Katchinskiy told GBHackers. “It turns a testing tool into a gateway for cluster takeover.”
How to stay protected
Microsoft recommends:
- Review Helm charts before deploying, don’t assume defaults are safe.
- Enforce authentication, even for internal services.
- Scan for exposed services, and regularly check if any workloads are unintentionally public.
- Monitor for suspicious activity, like unexpected user sign-ups or strange pod deployments.
While Helm charts make Kubernetes deployments faster, blindly trusting default settings can leave your data and entire cluster vulnerable. As cloud attacks rise, taking a few extra minutes to lock down configurations could save a major breach later.
