Matt Butcher

@dippynark Feel free to drop in on our Krustlet project. I think we are going to start holding public Zoom meetings in the next few weeks, since we've gotten to...

Sorry, the links you left above are broken @dippynark, and I could not read them. @thomastaylor312 is definitely the best resource with whom to discuss this, though.

Lookup is intentionally disabled for security reasons. There is no plan to change this behavior.

The security disclosure: https://github.com/helm/helm/security/advisories/GHSA-q8q8-93cv-v6h8

Dry-run is NOT expected to interact with the cluster, and this is documented. All other similar functions and capabilities are also disabled for `--dry-run`.

It does appear that several months ago, someone changed the behavior of `--dry-run` to allow it to make _some_ cluster requests. I do not think that this should have been...

I have specifically requested that our outside security auditing firm make some recommendations. I will update when we receive the results.

I have not seen the final report from the security firm. However, based on my conversations with them, the restrictions on `lookup` will not be reduced in `helm template`.

If someone wants to PR support for `--dry-run`, we can review that. Please let the issue drop about "what exactly can be done by an attacker." We have disclosed as...

Re-opening this, as #3471 needs to be backed out.