diff --git a/charts/armada/templates/deployment-api.yaml b/charts/armada/templates/deployment-api.yaml
index 562e3d04..d3d4ea38 100644
--- a/charts/armada/templates/deployment-api.yaml
+++ b/charts/armada/templates/deployment-api.yaml
@@ -176,7 +176,7 @@ spec:
 {{- end }}
 {{- end }}
             - -listen
-            - ":{{ .Values.conf.tiller.port }}"
+            - "{{ if not .Values.conf.tiller.listen_on_any }}127.0.0.1{{ end }}:{{ .Values.conf.tiller.port }}"
             - -probe-listen
             - ":{{ .Values.conf.tiller.probe_port }}"
             - -logtostderr
diff --git a/charts/armada/values.yaml b/charts/armada/values.yaml
index 3a4427e4..b1ed61fe 100644
--- a/charts/armada/values.yaml
+++ b/charts/armada/values.yaml
@@ -206,6 +206,12 @@ conf:
   tiller:
     # If set to false then some form of Tiller needs to be provided
     enabled: true
+    # To have Tiller bind to all interfaces, allowing direct connections from
+    # the Helm client to pod_ip:port, set 'listen_on_any: true'.
+    # The default setting 'listen_on_any: false' binds Tiller to 127.0.0.1.
+    # The Armada container talks directly to Tiller via 127.0.0.1, so the
+    # default value is appropriate for normal operation.
+    listen_on_any: false
     port: 24134
     probe_port: 24135
     verbosity: 5
diff --git a/charts/tiller/templates/deployment-tiller.yaml b/charts/tiller/templates/deployment-tiller.yaml
index 1f04a13a..f6df6143 100644
--- a/charts/tiller/templates/deployment-tiller.yaml
+++ b/charts/tiller/templates/deployment-tiller.yaml
@@ -104,7 +104,7 @@ spec:
 {{- end }}
 {{- end }}
             - -listen
-            - ":{{ .Values.conf.tiller.port }}"
+            - "{{ if not .Values.conf.tiller.listen_on_any }}127.0.0.1{{ end }}:{{ .Values.conf.tiller.port }}"
             - -probe-listen
             - ":{{ .Values.conf.tiller.probe_port }}"
             - -logtostderr
diff --git a/charts/tiller/values.yaml b/charts/tiller/values.yaml
index 495e3c1d..ba776bc1 100644
--- a/charts/tiller/values.yaml
+++ b/charts/tiller/values.yaml
@@ -52,6 +52,12 @@ conf:
     # Note: Defaulting to the (default) kubernetes grace period, as anything
     # greater than that will have no effect.
     prestop_sleep: 30
+    # To have Tiller bind to all interfaces, allowing direct connections from
+    # the Helm client to pod_ip:port, set 'listen_on_any: true'.
+    # The default setting 'listen_on_any: false' binds Tiller to 127.0.0.1.
+    # Helm clients with Kubernetes API access dynamically set up a portforward
+    # into the pod, which works with the default setting.
+    listen_on_any: false
     port: 44134
     probe_port: 44135