Helm Security & Best Practices
๐ฅ Vibe Prompt
"Secure my Helm deployment: signed charts, RBAC for Tiller-less, secrets encryption, OCI registry."
Chart Signing
# Generate key
gpg --full-generate-key
# Sign chart
helm package --sign --key "mykey" ./myapp
# Verify
helm verify myapp-1.0.0.tgz
# Install with verification
helm install myapp ./myapp-1.0.0.tgz --verify
Secrets Management
# โ Bad: plaintext in values
password: "supersecret"
# โ
Good: external secrets operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
spec:
secretStoreRef:
name: vault-backend
target:
name: app-secrets
data:
- secretKey: db_password
remoteRef:
key: /prod/db/password
Helm Security Checklist
| Practice | Why |
|----------|-----|
| Sign charts | Prevent tampering |
| Use OCI registry | Immutable, versioned |
| RBAC for Helm | Limit who can deploy |
| Secrets externally | Never in git |
| Dry-run first | helm install --dry-run |
OCI Registry
# Push
helm chart save ./myapp oci://registry.example.com/helm/myapp:1.0.0
helm chart push oci://registry.example.com/helm/myapp:1.0.0
# Pull & install
helm install myapp oci://registry.example.com/helm/myapp:1.0.0
Helm & Kubernetes Course Complete! ๐
- โ Chart Structure
- โ Go Templates
- โ Dependencies
- โ Hooks
- โ Security
Chapter Summary
- Understand core concepts and principles
- Master implementation methods and techniques
- Familiar with common issues and solutions
- Able to apply in real projects
Further Reading
- Official documentation and API references
- Open source examples on GitHub
- Technical books and online courses
- Community discussions and tech blogs
Implementation Example
Basic Example
# This section provides a complete implementation example
Steps
- Setup: Configure development environment
- Data: Prepare required data
- Implementation: Build core functionality
- Testing: Verify correctness
- Optimization: Improve performance
Common Errors
| Error Type | Cause | Solution | |------------|-------|----------| | Compilation | Syntax | Check code syntax | | Runtime | Environment | Verify dependencies installed | | Logic | Algorithm | Step-by-step debugging | | Performance | Efficiency | Use profilers |
Code Example
import sys
def main():
print("Hello, World!")
if __name__ == "__main__":
main()
References
- Official documentation
- API reference
- Open source examples
- Community discussions
RBAC and Service Accounts
Helm charts often create ServiceAccounts and RBAC resources. Properly scoping permissions is critical.
RBAC Best Practices
| Practice | Why | Implementation |
|----------|-----|----------------|
| Minimal permissions | Reduce blast radius | Grant only needed verbs/resources |
| Namespace scope | Limit to one namespace | Use Role+RoleBinding, not ClusterRole |
| ServiceAccount per app | Isolation | Each chart creates its own SA |
| Automount tokens | Disable when not needed | automountServiceAccountToken: false |
Example: RBAC Template
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "myapp.fullname" . }}
namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
resources: ["pods", "services", "endpoints"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "myapp.fullname" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "myapp.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "myapp.fullname" . }}
namespace: {{ .Release.Namespace }}
Secret Management
Never hardcode secrets in values.yaml or templates. Use external secret stores.
Secret Strategies
| Strategy | Tool | When to Use | |----------|------|-------------| | External Secrets | External Secrets Operator | Production clusters | | Sealed Secrets | Bitnami SealedSecrets | GitOps workflows | | Vault | HashiCorp Vault + CSI | Enterprise environments | | AWS Secrets Manager | ASCP (AWS Provider) | AWS EKS clusters |
External Secrets Example
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ include "myapp.fullname" . }}
spec:
refreshInterval: "1h"
secretStoreRef:
name: aws-secrets-store
kind: SecretStore
target:
name: {{ include "myapp.fullname" . }}
creationPolicy: Owner
data:
- secretKey: db_password
remoteRef:
key: prod/myapp/database
property: password
Network Policies
Charts should include NetworkPolicy resources to restrict pod-to-pod traffic.
Network Policy Template
{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "myapp.fullname" . }}
spec:
podSelector:
matchLabels:
{{- include "myapp.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: {{ .Release.Namespace }}
ports:
- protocol: TCP
port: {{ .Values.service.port }}
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
{{- end }}
Values Validation
Use values.schema.json to validate user-provided values and catch misconfigurations.
Schema Example
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"required": ["image", "service"],
"properties": {
"image": {
"type": "object",
"required": ["repository", "tag"],
"properties": {
"repository": { "type": "string" },
"tag": { "type": "string", "pattern": "^v?[0-9]+" }
}
},
"replicaCount": {
"type": "integer",
"minimum": 1,
"maximum": 100
}
}
}
Summary
Helm security best practices cover RBAC, secrets, network policies, and values validation. Always follow least-privilege principles and never hardcode secrets.
Key takeaways:
- Use minimal RBAC permissions per chart |
- Never hardcode secrets โ use External Secrets or Vault |
- Include NetworkPolicy resources for pod isolation |
- Use values.schema.json to validate inputs |
- Disable ServiceAccount token automount when unused |
- Sign charts with Helm provenance for supply chain security |
- Regularly scan chart dependencies for vulnerabilities |
What's Next: Advanced Topics
This is the last chapter of this course. Next, explore advanced Helm topics like plugins, testing, and chart repositories.
- Explore Helm plugins for extended functionality
- Learn about Helm test charts and CI integration
- Set up a private chart repository
- Study Helm hooks for complex lifecycle management