Helm charts are an easy way to package, version and deploy applications on Kubernetes. They can be used to deploy application services or even Kubernetes components and tools.

They make scaling deployments internally and externally easier, as Kubernetes manifests and commands are bundled together with pre-vetted default values. As a user of a Helm, open source packages, known as charts, are readily at your disposal in repositories such as Artifact Hub. Launched in 2019, Artifact Hub has thousands of charts to quickly deploy pre-configured services such as databases into your cluster.

However, our recent research found that over 70% of Helm charts in Artifact Hub contained misconfigurations, such as not setting resource limits and running root containers, that violated CIS Kubernetes Benchmarks. Even the most popular dependency chart, PostgreSQL, contained multiple misconfigurations such as forgetting to add allowPrivilegeEscalation = false, which if left out defaults to true.

Part of the problem is that securing Helm charts is not as straightforward as securing a Kubernetes manifest.

#kubernetes #security #contributed #sponsored #helm