Microsoft has issued a warning about potential security vulnerabilities linked to default configurations in Kubernetes deployments, particularly those using pre-configured Helm charts. These configurations can inadvertently expose sensitive data and cloud resources, making environments vulnerable to attackers.
In a blog post, security experts Michael Katchinskiy and Yossi Weizman from Microsoft Defender for Cloud Research argued that open-source Helm charts are often deployed with minimal changes, prioritising convenience over security. This default-by-design approach, they said, has led to widespread cases where Kubernetes workloads are made accessible from the internet without proper authentication, network restrictions, or isolation.
Kubernetes is an open-source platform for managing containerised applications. Helm is widely used as a package manager in Kubernetes to streamline containerised application deployment. Helm charts are YAML-based templates used to define and install Kubernetes resources. However, many of these charts include settings that expose services externally, via mechanisms such as LoadBalancer or NodePort, without incorporating best security practices. This can lead to applications being misconfigured, exposing them to potential threats.
Microsoft researchers stated that users, especially those unfamiliar with cloud security, often deploy these charts as-is. “Default configurations that lack proper security controls create a severe security threat,” they said in the blog post. “Without carefully reviewing the YAML manifests and Helm charts, organisations may unknowingly deploy services lacking any form of protection, leaving them fully exposed to attackers. This is particularly concerning when the deployed application can query sensitive APIs or allow administrative actions.”
Case studies reveal common misconfigurations
To demonstrate the scale of the issue, Microsoft examined Helm charts for several popular open-source applications.
Apache Pinot, a real-time OLAP datastore, was found to expose core components such as pinot-controller and pinot-broker through LoadBalancer services without any authentication. The exposed dashboard allowed unauthorised users to manage data and workloads.
On the other hand, Meshery, an engineering platform for managing cloud-native infrastructure, was observed to allow public registration through an exposed IP. This setup could permit anyone to access cluster operations and deploy new pods if left unprotected.
Selenium, a widely used tool for web browser testing, has faced multiple attack campaigns in the last few months targeting its Grid instances lacking authentication. Several security vendors, including Wiz and Cado Security, have reported such attacks.
Recommendations for strengthening Kubernetes security
Microsoft recommends that organisations carefully review Helm chart configurations before deployment. This includes verifying that authentication mechanisms are in place, limiting external exposure of services, and enforcing network isolation.
Regular scanning for exposed workloads and continuous monitoring of containerised applications for abnormal behaviour are also advised. These steps can help detect unauthorised access, backdoor deployments, or attempts to compromise cloud resources.
Microsoft Defender for Cloud includes tools for identifying misconfigurations and alerting users to exposed Kubernetes interfaces. The platform’s Cloud Security Explorer also enables visibility into internet-facing services, assisting organisations in securing their containerised environments.
Read more: Microsoft makes new accounts passwordless by default in global push for passkeys
