Helm Security & Best Practices

๐Ÿ”ฅ Vibe Prompt

"Secure my Helm deployment: signed charts, RBAC for Tiller-less, secrets encryption, OCI registry."

Chart Signing

# Generate key
gpg --full-generate-key

# Sign chart
helm package --sign --key "mykey" ./myapp

# Verify
helm verify myapp-1.0.0.tgz

# Install with verification
helm install myapp ./myapp-1.0.0.tgz --verify

Secrets Management

# โŒ Bad: plaintext in values
password: "supersecret"

# โœ… Good: external secrets operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
spec:
  secretStoreRef:
    name: vault-backend
  target:
    name: app-secrets
  data:
    - secretKey: db_password
      remoteRef:
        key: /prod/db/password

Helm Security Checklist

| Practice | Why | |----------|-----| | Sign charts | Prevent tampering | | Use OCI registry | Immutable, versioned | | RBAC for Helm | Limit who can deploy | | Secrets externally | Never in git | | Dry-run first | helm install --dry-run |

OCI Registry

# Push
helm chart save ./myapp oci://registry.example.com/helm/myapp:1.0.0
helm chart push oci://registry.example.com/helm/myapp:1.0.0

# Pull & install
helm install myapp oci://registry.example.com/helm/myapp:1.0.0

Helm & Kubernetes Course Complete! ๐ŸŽ‰

  • โœ… Chart Structure
  • โœ… Go Templates
  • โœ… Dependencies
  • โœ… Hooks
  • โœ… Security

Chapter Summary

  • Understand core concepts and principles
  • Master implementation methods and techniques
  • Familiar with common issues and solutions
  • Able to apply in real projects

Further Reading

  • Official documentation and API references
  • Open source examples on GitHub
  • Technical books and online courses
  • Community discussions and tech blogs

Implementation Example

Basic Example

# This section provides a complete implementation example

Steps

  1. Setup: Configure development environment
  2. Data: Prepare required data
  3. Implementation: Build core functionality
  4. Testing: Verify correctness
  5. Optimization: Improve performance

Common Errors

| Error Type | Cause | Solution | |------------|-------|----------| | Compilation | Syntax | Check code syntax | | Runtime | Environment | Verify dependencies installed | | Logic | Algorithm | Step-by-step debugging | | Performance | Efficiency | Use profilers |

Code Example

import sys

def main():
    print("Hello, World!")

if __name__ == "__main__":
    main()

References

  • Official documentation
  • API reference
  • Open source examples
  • Community discussions

RBAC and Service Accounts

Helm charts often create ServiceAccounts and RBAC resources. Properly scoping permissions is critical.

RBAC Best Practices

| Practice | Why | Implementation | |----------|-----|----------------| | Minimal permissions | Reduce blast radius | Grant only needed verbs/resources | | Namespace scope | Limit to one namespace | Use Role+RoleBinding, not ClusterRole | | ServiceAccount per app | Isolation | Each chart creates its own SA | | Automount tokens | Disable when not needed | automountServiceAccountToken: false |

Example: RBAC Template

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "myapp.fullname" . }}
  namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
  resources: ["pods", "services", "endpoints"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "myapp.fullname" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "myapp.fullname" . }}
subjects:
- kind: ServiceAccount
  name: {{ include "myapp.fullname" . }}
  namespace: {{ .Release.Namespace }}

Secret Management

Never hardcode secrets in values.yaml or templates. Use external secret stores.

Secret Strategies

| Strategy | Tool | When to Use | |----------|------|-------------| | External Secrets | External Secrets Operator | Production clusters | | Sealed Secrets | Bitnami SealedSecrets | GitOps workflows | | Vault | HashiCorp Vault + CSI | Enterprise environments | | AWS Secrets Manager | ASCP (AWS Provider) | AWS EKS clusters |

External Secrets Example

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: {{ include "myapp.fullname" . }}
spec:
  refreshInterval: "1h"
  secretStoreRef:
    name: aws-secrets-store
    kind: SecretStore
  target:
    name: {{ include "myapp.fullname" . }}
    creationPolicy: Owner
  data:
  - secretKey: db_password
    remoteRef:
      key: prod/myapp/database
      property: password

Network Policies

Charts should include NetworkPolicy resources to restrict pod-to-pod traffic.

Network Policy Template

{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ include "myapp.fullname" . }}
spec:
  podSelector:
    matchLabels:
      {{- include "myapp.selectorLabels" . | nindent 6 }}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: {{ .Release.Namespace }}
    ports:
    - protocol: TCP
      port: {{ .Values.service.port }}
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 10.0.0.0/8
        - 172.16.0.0/12
        - 192.168.0.0/16
{{- end }}

Values Validation

Use values.schema.json to validate user-provided values and catch misconfigurations.

Schema Example

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "required": ["image", "service"],
  "properties": {
    "image": {
      "type": "object",
      "required": ["repository", "tag"],
      "properties": {
        "repository": { "type": "string" },
        "tag": { "type": "string", "pattern": "^v?[0-9]+" }
      }
    },
    "replicaCount": {
      "type": "integer",
      "minimum": 1,
      "maximum": 100
    }
  }
}

Summary

Helm security best practices cover RBAC, secrets, network policies, and values validation. Always follow least-privilege principles and never hardcode secrets.

Key takeaways:

  • Use minimal RBAC permissions per chart |
  • Never hardcode secrets โ€” use External Secrets or Vault |
  • Include NetworkPolicy resources for pod isolation |
  • Use values.schema.json to validate inputs |
  • Disable ServiceAccount token automount when unused |
  • Sign charts with Helm provenance for supply chain security |
  • Regularly scan chart dependencies for vulnerabilities |

What's Next: Advanced Topics

This is the last chapter of this course. Next, explore advanced Helm topics like plugins, testing, and chart repositories.

  • Explore Helm plugins for extended functionality
  • Learn about Helm test charts and CI integration
  • Set up a private chart repository
  • Study Helm hooks for complex lifecycle management

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!