Secure Helm chart deployments by validating chart integrity, scanning templates for misconfigurations, and enforcing security contexts in Kubernetes releases.
Helm is the Kubernetes package manager. Securing Helm deployments requires validating chart provenance, scanning templates for security misconfigurations, enforcing pod security contexts, managing secrets securely, and controlling RBAC for Helm operations.
# Generate GPG key for signing
gpg --full-generate-key
# Package and sign chart
helm package ./mychart --sign --key "[email protected]" --keyring ~/.gnupg/pubring.gpg
# Verify chart signature
helm verify mychart-0.1.0.tgz --keyring ~/.gnupg/pubring.gpg
# Verify chart from repository
helm pull myrepo/mychart --verify --keyring /path/to/keyring.gpg
# Check chart provenance file
cat mychart-0.1.0.tgz.prov
# Render templates without deploying
helm template myrelease ./mychart --values values-prod.yaml > rendered.yaml
# Scan with kubesec
kubesec scan rendered.yaml
# Scan with checkov
checkov -f rendered.yaml --framework kubernetes
# Scan with trivy
trivy config rendered.yaml
# Scan with kube-linter
kube-linter lint rendered.yaml
# Lint chart
helm lint ./mychart --values values-prod.yaml --strict
# Lint with debug output
helm lint ./mychart --debug
# values.yaml - Security hardened defaults
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
podSecurityContext:
seccompProfile:
type: RuntimeDefault