Container Service for Kubernetes (ACK) has upgraded Helm to v3 for newly created clusters. The Tiller server component for Helm v2 has known security issues among community users. Attackers can use Tiller to install unauthorized applications in the cluster. We recommend that you upgrade to Helm v3 at your earliest opportunity.
- Whether the kubeconfig file of your ACK cluster is provided to external users.
- Whether external access to the ACK console is allowed.
- Whether your ACK cluster is used in a multi-tenancy scenario and whether privilege isolation is enabled among users.
If one of the preceding conditions is met, we recommend that you upgrade to Helm v3.
Unaffected scenarios or failures of upgrading to Helm v3
If the scenario does not meet the preceding conditions or you cannot upgrade to Helm v3, we recommend that you manually upgrade Tiller of Helm v2 to the latest version for higher security. Perform the following steps to upgrade Tiller of Helm v2 to the latest version:
- Run the following command:
helm init --tiller-image registry.cn-hangzhou.aliyuncs.com/acs/tiller:v2.16.3 --upgrade
- After Tiller passes the health check, you can run the helm version command to query the upgrade result.
The preceding command upgrades only the server component of Helm. To download the client components for different operating systems, click download link.
Before you upgrade Helm v2, perform the following steps for a pre-check:
- Check whether Tiller is installed in your ACK cluster. Run the kubectl get deploy -n kube-system tiller-deploy command to check whether a tiller Deployment exists.
- If a tiller Deployment exists, run the helm ls -a command to check whether applications are installed.
- If applications are installed, you must first delete these applications because of
data incompatibility between Helm v2 and v3.
Notice The Helm community provides a plug-in to migrate Helm v2 configurations and releases to Helm v3. To prevent data loss, proceed with caution when you use the plug-in. For more information about the plug-in, see helm-2to3.
- Make sure that you have passed the Pre-check.
- Run the kubectl delete deploy tiller-deploy -n kube-system command.
- Download the Helm v3 client component to install new applications.
NoticeBefore you install new applications:
- You must use Helm v3 to reinstall the applications that were installed through Helm v2. Evaluate the impacts on your workloads.
- When you reinstall an application, the original data will be lost. Back up your data in advance.