CVE-2020-11013

A flaw was found in helm. The helm template lookup() function bypasses the intended security property that the running helm template will not attach to a helm cluster. This flaw allows a malicious template to disclose facts about the cluster without the administrator’s consent.

Mitigation

Three mitigations are described in the Helm project's advisory.

Running helm lint will report an error if a template uses the lookup function; thus templates that pass helm lint can be used safely without triggering this vulnerability.

Setting KUBECONFIG to point to an empty kubernetes configuration file will prevent unintended network connections.

Manually analysing charts to ensure there is no use of the lookup function in the templates/ directory can prove they are safe to use.