Wiz
Level Up Your Container Sec Game [Cheat Sheets]

Download our free cheat sheets and master Kubernetes and container security best practices. Get instant access to expert-curated tips, tricks, and essential guidelines to safeguard your containerized environments.

Download Kubernetes Cheat SheetDownload Containers Cheat Sheet
All articles

Helm Charts in Kubernetes: A security review

Helm Charts streamline the deployment of applications by providing a packaging format that includes all necessary Kubernetes resources.

Nicolas Ehrman
6 minutes read

Helm Charts streamline the deployment of applications by providing a packaging format that includes all necessary Kubernetes resources. This simplifies the management of Kubernetes applications, making it easier to define, install, and upgrade them using a single command.

As Kubernetes grows in popularity, ensuring the security of its components, including Helm Charts, has never been more crucial. Read on to learn how to get the most out of Helm Charts while minimizing risk.

Kubernetes Security For Dummies

Everything you need to know about securing Kubernetes.

Download Report

Why use Helm Charts?

Helm Charts offer numerous benefits, which contribute to their widespread adoption among Kubernetes users. Many organizations look to Helm Charts to achieve the following goals:

  • Simplifying complex applications: As we’ve seen, Helm Charts streamline the handling and deployment of intricate Kubernetes applications by packaging all essential components into a unified bundle. Packaging everything into one easy-to-use format reduces the effort required to manage multiple YAML files and configurations.

Pro tip

By utilizing a templates directory for Helm Charts, developers can simplify their workflows and ensure that each chart adheres to a consistent structure. Additionally, leveraging custom charts tailored to your specific application requirements allows for greater control over the application's environment and can help mitigate potential security risks by addressing your unique needs.

  • Streamlining version control and rollbacks: Helm Charts facilitate version control, enabling you to monitor modifications and revert to earlier versions when necessary, which is crucial for maintaining stability and reliability in your Kubernetes environment.

  • Sharing and reusing applications: Helm Charts facilitate sharing and reusing Kubernetes applications through chart repositories. When all teams work from the same repositories, collaboration and standardization are easy.

  • Facilitating continuous integration and continuous deployment (CI/CD): Helm Charts integrate seamlessly with CI/CD pipelines, facilitating automated deployment of applications (which ensures that applications are consistently deployed and updated across environments).

  • Improving collaboration across development and operations teams: Helm Charts bridge the gap between development and operations teams by providing a common framework for deploying and managing applications. With a unified approach, you can expect enhanced overall efficiency by ensuring both teams are aligned in their workflows and processes.

  • Saving time with pre-built charts: The Helm community offers a vast array of pre-built charts for well-known Kubernetes applications. Use these chart packages to save time and effort in application deployment.

wiz academy

Kubernetes Security Best Practices

Read more

Security risks of Helm Charts

While Helm Charts provide significant benefits, they also introduce potential security risks that must be managed carefully:

1. Insecure configurations

Helm Charts that contain misconfigurations might expose the application to security vulnerabilities. Misconfigurations, such as incorrect resource allocations, insecure network policies, or weak security settings, can be exploited by attackers to gain unauthorized access or disrupt services. The blast radius of such vulnerabilities can extend across the entire Kubernetes cluster, potentially allowing attackers to move laterally and exploit other services. 

2. Default values exposing sensitive information

Default values in Helm Charts can inadvertently expose sensitive information, such as passwords and API keys—that’s why it’s essential to review and secure default values in the values.yaml file. Sensitive data exposure can lead to unauthorized access and data breaches if attackers intercept this information. 

3. Dependency vulnerabilities

Helm Charts often include dependencies that may have their own vulnerabilities. These dependencies can range from other Helm Charts to container images and external libraries, and if any of them have security flaws, they can be exploited to compromise the application and potentially the entire cluster. Manage chart dependencies and ensure they are up-to-date to reduce your attack surface.

4. Insufficient access controls

Improperly configured access controls can lead to unauthorized access and potential privilege escalation within the Kubernetes cluster. Over-permissive roles and permissions can provide unnecessary access to sensitive resources, and improper access controls can even result in privilege escalation, compromising the security of the entire Kubernetes cluster. The fallout from such issues can be extensive, allowing attackers to access and manipulate critical cluster resources.

5. Risk of altered or malicious charts

Deploying charts from untrusted sources has the potential to introduce malicious code into your Kubernetes environment. Malicious charts can compromise application integrity, steal data, or create backdoors for future attacks. The blast radius can include the entire application and potentially other applications running in the same environment. Always verify the source project and maintain trusted chart repositories. 

6. Lack of automated scanning

Without automated scanning, vulnerabilities in Helm Charts might go unnoticed and then get exploited, leading to significant security breaches. Breaches caused by undetected vulnerabilities can affect the entire Kubernetes environment, allowing attackers to exploit weaknesses at will. Implementing automated scanning tools helps you identify and address security issues promptly. 

Keep in mind that securing your charts is an ongoing process. Effective chart development involves continuously integrating security best practices throughout the lifecycle of the chart. Let’s take a closer look.

wiz academy

The top 11 open-source Kubernetes security tools

Read more

Best practices for secure Helm usage

Use trusted sources

Ensuring that Helm Charts come from reliable and verified sources is crucial for preventing security breaches and maintaining the integrity of your Kubernetes environment. Here are some steps to take:

  • Verify the source of Helm Charts before deployment.

  • Regularly update charts to patch known vulnerabilities.

  • Utilize signed charts to ensure integrity and authenticity.

Here’s some sample code that can help you put these best practices into action:

# Adding a trusted Helm repository
helm repo add stable https://charts.helm.sh/stable

# Verifying a signed chart
helm verify stable/my-chart 

# Installing the verified chart 
helm install my-release stable/my-chart

Harden Helm Chart values

Take these steps to harden your Helm Charts:

  • Secure default values to avoid exposing sensitive data.

  • Use environment-specific configurations for different deployment environments.

  • Encrypt sensitive values with tools like Sealed Secrets.

The following code example demonstrates a values.yaml file with encrypted sensitive data, and the second part demonstrates using Sealed Secrets to store and manage sensitive information securely:

# values.yaml with secure configurations
database:
 username: myUser
 password: 
 - encrypted: AgA0I5eA==
 host: mydb.example.com
 port: 5432

# Using Sealed Secrets
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
 name: mysecret
spec:
  encryptedData:
 password: AgA0I5eA==

Kubernetes Security Best Practices [Cheat Sheet]

This 6 page cheat sheet goes beyond the basics and covers security best practices for Kubernetes pods, components, and network security.

Download Cheat Sheet

Implement RBAC policies

Implementing robust RBAC policies is an essential means of controlling access and permissions within your Kubernetes clusters:

  • Define roles and permissions specifically for Helm operations.

  • Restrict access to the Kubernetes API.

  • Use Kubernetes namespaces to isolate resources and limit the blast radius of potential security incidents.

The first YAML code sample defines an RBAC role with specific permissions for Helm operations, and the second code snippet binds this role to a user in the specified namespace:

# Example RBAC policy for Helm
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
 namespace: helm-namespace
 name: helm-role
rules:
- apiGroups: [""]
 resources: ["pods", services, "deployments"]
 verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

# Binding the role to a user
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: helm-rolebinding
 namespace: helm-namespace
subjects:
- kind: User
 name: helm-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role
 name: helm-role
  apiGroup: rbac.authorization.k8s.io

Monitor and log Helm activity

Monitoring and logging Helm activity empowers you to detect and respond to security incidents promptly. Follow these steps to reduce your attack surface:

  • Enable audit logging for Helm commands to track changes and access.

  • Integrate logging with centralized monitoring systems for comprehensive oversight.

  • Set up alerts for suspicious activities to respond quickly to potential threats.

The first YAML code sample included below sets up an audit policy to log metadata for specific Kubernetes resources, while the second code snippet configures Fluentd to collect system logs from the specified path:

# Enabling audit logging in Kubernetes
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
 resources:
 - group: ""
 resources: ["pods", "services", "deployments"]
 users: ["helm-user"]

# Setting up centralized logging with Fluentd
apiVersion: v1
kind: ConfigMap
metadata:
 name: fluentd-config
 namespace: logging
data:
 fluent.conf: |
 <source>
 @type systemd
 @id input_systemd
 tag host.*.syslog
 path /var/log/journal
</source>
wiz academy

The most common Kubernetes security issues and challenges

Read more

Conclusion

If you use Helm Charts, securing them is an essential part of maintaining the overall security and stability of your Kubernetes environments. Following best practices, such as using trusted sources, hardening Helm Chart values, implementing robust RBAC policies, and monitoring Helm activity, helps mitigate many security risks. Unfortunately, Helm does not provide a security solution out of the box to mitigate all risks.

That’s where Wiz comes in. Offering a comprehensive cloud security platform designed to secure everything you build and run in the cloud, Wiz provides end-to-end security solutions, ensuring your cloud environments are protected from build time to runtime. Count on our industry-leading solutions for:

  • Container and Kubernetes security: Wiz holistically secures containers, Kubernetes, and cloud environments across the software development lifecycle with real-time threat detection.

  • Cloud-native application pipeline protection: Trust Wiz to protect your cloud-native application pipeline at every stage. Starting from code, Wiz scans in the IDE and VCS, then continues through the CI/CD pipeline, including scanning container images. Finally, the Admission Controller acts as the last line of defense to prevent any misconfigurations or untrusted images from reaching the Kubernetes cluster.

  • Compliance automation: Our tried-and-true compliance automation tools help you adhere to both industry regulations and custom frameworks.

  • Vulnerability management: Uncover vulnerabilities without deploying agents or configuring external scans.

  • Cloud security posture management (CSPM): Wiz continuously detects and remediates misconfigurations across hybrid clouds.

If you’re looking to secure your Helm Charts—and your entire Kubernetes ecosystem—request a demo of Wiz today!

Empower your developers to be more productive, from code to production

Learn why the fastest growing companies choose Wiz to secure containers, Kubernetes, and cloud environments from build-time to real-time.

Get a demo 

Continue reading

Identity Security [Cloud Edition]

Wiz Experts Team

Cloud identity security is the practice of safeguarding digital identities and the sensitive cloud infrastructure and data they gatekeep from unauthorized access and misuse.

Top 9 OSINT tools

Wiz Experts Team

Open-source intelligence (OSINT) is a framework that involves gathering, analyzing, and interpreting publicly available data to gain insights into cyber threats, adversarial activities, and attack techniques. OSINT identifies innocuous-seeming information that, if analyzed with an attacker’s mindset, could reveal critical loopholes in an enterprise’s security posture.

Top OSS Vulnerability Scanners [By Category]

Wiz Experts Team

Vulnerability scanning is an integral component of every vulnerability management program, providing security teams with insights needed to address vulnerabilities before they become attack vectors. When conducted regularly, vulnerability assessments offer asset discovery and visibility, attack surface management, and compliance enforcement.