Helm has revolutionized how Kubernetes applications are deployed. A single helm install can launch a fully functioning stack in seconds. But a new report by Microsoft Defender for Cloud reveals a disturbing truth: many Helm charts are insecure by default, and their convenience often comes at the cost of exposure.
The report, The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluster, highlights how default configurations expose dashboards, APIs, and services to the internet — often without authentication or access control. What’s more alarming is that this risk isn’t limited to hobbyist tools: even security software — such as CrowdStrike’s Falcon Kubernetes Admission Controller (KAC) — can pose similar risks if misconfigured or deployed without hardening.
📊 Microsoft’s Findings: Insecure Defaults Are Everywhere
Microsoft’s security researchers scanned GitHub repositories for common patterns like:
yamlCopyEdittype: LoadBalancer
These patterns often indicate that a Kubernetes service is exposed externally — which is fine for a web frontend, but dangerous for internal components like dashboards, databases, or control planes.
🔍 Key Findings from the Report:
- Helm charts prioritize usability, not security.
- Services are frequently exposed using
LoadBalancerorNodePort. - Authentication and authorization are often absent or optional.
- Services are frequently exposed using
- Open-source tools are often deployed directly into production.
- Tools like Apache Pinot, Meshery, and Selenium Grid had publicly accessible dashboards with no login required.
- Attackers are actively exploiting these defaults.
- Microsoft observed real-world attacks where these exposed services were used for:
- Remote code execution (RCE)
- Data harvesting
- Cluster persistence or lateral movement
- Microsoft observed real-world attacks where these exposed services were used for:
🧱 Real-World Example: Apache Pinot
- What it is: Real-time OLAP datastore
- Issue: Helm chart exposes
pinot-controllerandpinot-brokerviaLoadBalancer, unauthenticated - Impact: Any remote IP can browse or query production data
🧪 Real-World Example: Meshery
- What it is: Service mesh manager for Kubernetes
- Issue: Default Helm deployment creates public-facing dashboard with open registration
- Impact: Unauthorized users can deploy workloads or run diagnostics
🚨 Why Even Security Tools Need Scrutiny: CrowdStrike Falcon KAC
Even Helm charts from leading cybersecurity vendors aren’t immune. Consider the CrowdStrike Falcon KAC, a Kubernetes admission controller used to enforce workload policies and integrate with Falcon’s container visibility backend.
While secure by design in several aspects, it lacks some essential configuration defaults that Microsoft’s report warns about.
🔎 Security Analysis of Falcon KAC Helm Chart:
| Feature | Behavior in Default Chart |
|---|---|
| Service Type | ✅ Uses ClusterIP (internal-only) |
| NetworkPolicy | ❌ Not defined — no traffic restrictions |
| Secrets Handling | ⚠️ Uses standard K8s secrets; no vault integration |
| RBAC Scope | ⚠️ Broad access for webhook components |
| Pod Isolation | ✅ Uses securityContext for hardening |
🔐 What Could Go Wrong?
If a DevOps engineer adjusts the Falcon KAC service type to LoadBalancer (perhaps for debugging), and deploys in a cluster with no default NetworkPolicy:
- The webhook service could become publicly reachable.
- External actors could simulate pod creation requests or interfere with webhook operations.
- Combined with broad RBAC or weak secret management, this could lead to:
- Unauthorized admission approvals or rejections
- Remote code injection via manipulated pod specs
- Complete cluster compromise
🛡️ How to Mitigate: Recommendations from Microsoft + Community Best Practices
| Risk Area | Microsoft Guidance | Action for Falcon KAC or Similar Charts |
|---|---|---|
| Service Exposure | Avoid LoadBalancer for internal services | Keep Falcon KAC on ClusterIP; use internal DNS only |
| Network Isolation | Apply NetworkPolicy to limit traffic | Define policy for Falcon namespace |
| Secrets Management | Use secure vaults or external managers | Replace K8s secrets with external store if possible |
| RBAC & Permissions | Enforce least privilege | Review ClusterRole/RoleBinding scopes |
| CI/CD Integration | Validate Helm via kubeaudit, OPA, etc. | Add checks to pipeline before deployment |
📂 Example: Secure NetworkPolicy for Falcon KAC
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: falcon-kac-ingress
namespace: falcon-kac
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
egress:
- to:
- ipBlock:
cidr: <INSERT_CROWDSTRIKE_API_CIDR>
🎯 Final Thought: Secure by Default Needs to Become the Standard
Microsoft’s report is a wake-up call: the Kubernetes ecosystem’s reliance on fast, reusable Helm charts is creating long-tail vulnerabilities. Helm maintainers and users alike must treat configuration as a security boundary. Whether you’re deploying an open-source dashboard or an enterprise-grade security tool like Falcon KAC — default does not mean safe.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.