Install secure Tiller with GKE bootstrap script
The gke_bootstrap_script.sh currently deploys Tiller with an unauthenticated gRPC endpoint. This means that anything that has layer 4 connectivity to the Tiller Pod can do anything in the cluster that Tiller can (cluster-admin
at the time of writing).
Binding Tiller to localhost would restrict clients to Helm clients with the RBAC permissions to port-forward to the Tiller Pod:
helm init --override \
'spec.template.spec.containers[0].args={/tiller,--listen=localhost:44134}'