Container Service for Kubernetes has recently upgraded Helm to v3 for new clusters. The Tiller server component for Helm v2 has known security issues among community users. Attackers can use Tiller to install unauthorized applications in the cluster. We recommend that you upgrade to Helm v3 in a timely manner.

Affected scenarios

Run the kubectl get deploy -n kube-system tiller-deploy command to check whether a tiller deployment exists. If yes, check the following conditions:
  • Whether the kubeconfig file containing cluster credentials is provided to external users.
  • Whether logon access to the Container Service console is provided to external users.
  • Whether the cluster is used by multiple tenants and whether privilege isolation is enabled among multiple users.

If one of the preceding conditions is met, we recommend that you upgrade to Helm v3.

Unaffected scenarios or unable to upgrade to Helm v3

If your application scenario does not meet the preceding conditions or you cannot upgrade to Helm v3, we recommend that you upgrade Tiller of Helm v2 to the latest version for enhanced security. You can take the following steps to perform the upgrade.

  1. Run the following command:
    helm init --tiller-image registry.cn-hangzhou.aliyuncs.com/acs/tiller:v2.16.3 --upgrade
  2. After the Tiller health check succeeds, you can run the helm version command to query the upgrade result.

    The preceding command upgrades the server component of Helm only. To download the client components for different operating systems, visit this link.

Note If your application scenario does not meet the preceding conditions or you cannot upgrade to Helm v3, you can upgrade Tiller to the latest version and skip the following steps. You may upgrade to Helm v3 later.

Precheck

Before you upgrade Helm v2, perform a precheck as follows:

  1. Check whether Tiller is installed in your cluster. Run the kubectl get deploy -n kube-system tiller-deploy command to check whether a tiller deployment exists.
  2. If yes, run the helm ls -a command to check whether applications are installed.
  3. If yes, you must delete the applications first because of data incompatibility between Helm v2 and v3.
    Notice The Helm community provides a plug-in that migrates Helm v2 configurations and releases to Helm v3. We recommend that you use it with caution to avoid data loss. For more information about the plug-in, see helm-2to3.

Upgrade procedure

  1. Make sure that you pass the Precheck.
  2. Run the following command: kubectl delete deploy tiller-deploy -n kube-system.
  3. Download the Helm v3 client component to install new applications.
    Notice
    Before you install new applications:
    • You must use Helm v3 to install the applications that were installed through Helm v2 again. Evaluate the impact on your workloads.
    • When you reinstall an application, the original data will be lost. Back up your data in advance.