Microsoft security researchers have issued an urgent warning about significant security risks posed by default configurations in Kubernetes deployments, particularly when using out-of-the-box Helm charts. These configurations can inadvertently expose sensitive data to the public internet without proper authentication protections.
According to a new report from Michael Katchinskiy and Yossi Weizman of Microsoft Defender for Cloud Research, many popular Helm charts lack basic security measures, often leaving exploitable ports open and implementing weak or hardcoded passwords that are easy to compromise.
“Default configurations that lack proper security controls create a severe security threat,” the Microsoft researchers warn. “Without carefully reviewing the YAML manifests and Helm charts, organizations may unknowingly deploy services lacking any form of protection, leaving them fully exposed to attackers.”
Kubernetes has become a widely adopted open-source platform for automating containerized application deployment and management, with Helm serving as its package manager. Helm charts function as templates or blueprints that define resources needed to run applications through YAML files. While these charts offer convenience by simplifying complex deployments, their default settings often prioritize ease of use over security.
The report highlights three specific examples demonstrating this widespread issue. Apache Pinot’s Helm chart exposes core services through Kubernetes LoadBalancer services with no authentication requirements. Meshery allows public sign-up from exposed IP addresses, potentially giving anyone registration access to cluster operations. Meanwhile, Selenium Grid exposes services across all nodes in a cluster through NodePort, relying solely on external firewall rules for protection.
The Selenium Grid vulnerability is particularly concerning as cybersecurity firms including Wiz have already observed attacks targeting misconfigured instances to deploy XMRig miners for cryptocurrency mining.
Organizations using Kubernetes are advised to implement several key mitigation strategies. Microsoft recommends thoroughly reviewing default configurations of Helm charts before deployment, ensuring they include proper authentication mechanisms and network isolation. Regular scans for misconfigurations that might publicly expose workload interfaces are crucial, as is continuous monitoring of containers for suspicious activity.
The findings underscore a critical tension in cloud deployment between convenience and security, with many users — particularly those inexperienced with cloud security — inadvertently creating vulnerabilities by deploying charts without customizing their security settings.