<< All versions
Skill v1.0.1
currentAutomated scan100/100mukul975/anthropic-cybersecurity-skills/securing-helm-chart-deployments
+1 new
──Details
PublishedJune 8, 2026 at 08:26 PM
Content Hashsha256:571f0b2c51a31b87...
Git SHA04450304b126
Bump Typepatch
──Files
Files (1 file, 6.8 KB)
SKILL.md6.8 KBactive
SKILL.md · 295 lines · 6.8 KB
name: securing-helm-chart-deployments description: Secure Helm chart deployments by validating chart integrity, scanning templates for misconfigurations, and enforcing security contexts in Kubernetes releases. domain: cybersecurity subdomain: container-security tags:
- helm
- kubernetes
- chart-security
- supply-chain
- configuration-security
- deployment
version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
- PR.PS-01
- PR.IR-01
- ID.AM-08
- DE.CM-01
mitre_attack:
- T1610
- T1611
- T1609
- T1525
- T1195
Securing Helm Chart Deployments
Overview
Helm is the Kubernetes package manager. Securing Helm deployments requires validating chart provenance, scanning templates for security misconfigurations, enforcing pod security contexts, managing secrets securely, and controlling RBAC for Helm operations.
When to Use
- When deploying or configuring securing helm chart deployments capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Helm 3.12+ installed
- kubectl with cluster access
- GnuPG for chart signing/verification
- kubesec or checkov for template scanning
Chart Provenance and Integrity
Sign a Helm Chart
bash
# Generate GPG key for signinggpg --full-generate-key# Package and sign charthelm package ./mychart --sign --key "helm-signing@example.com" --keyring ~/.gnupg/pubring.gpg# Verify chart signaturehelm verify mychart-0.1.0.tgz --keyring ~/.gnupg/pubring.gpg
Verify Chart Before Install
bash
# Verify chart from repositoryhelm pull myrepo/mychart --verify --keyring /path/to/keyring.gpg# Check chart provenance filecat mychart-0.1.0.tgz.prov
Template Security Scanning
Render and Scan Templates
bash
# Render templates without deployinghelm template myrelease ./mychart --values values-prod.yaml > rendered.yaml# Scan with kubeseckubesec scan rendered.yaml# Scan with checkovcheckov -f rendered.yaml --framework kubernetes# Scan with trivytrivy config rendered.yaml# Scan with kube-linterkube-linter lint rendered.yaml
Helm Lint for Misconfigurations
bash
# Lint charthelm lint ./mychart --values values-prod.yaml --strict# Lint with debug outputhelm lint ./mychart --debug
Security Context Enforcement in values.yaml
yaml
# values.yaml - Security hardened defaultssecurityContext:runAsNonRoot: truerunAsUser: 1000runAsGroup: 3000fsGroup: 2000readOnlyRootFilesystem: trueallowPrivilegeEscalation: falsecapabilities:drop:- ALLpodSecurityContext:seccompProfile:type: RuntimeDefaultresources:limits:cpu: 500mmemory: 512Mirequests:cpu: 100mmemory: 128MinetworkPolicy:enabled: trueserviceAccount:create: trueautomountServiceAccountToken: falseimage:pullPolicy: Always# Use digest instead of tag for immutability# tag: "1.0.0"# digest: "sha256:abc123..."
Template with Security Contexts
yaml
# templates/deployment.yamlapiVersion: apps/v1kind: Deploymentmetadata:name: {{ include "mychart.fullname" . }}spec:template:spec:automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}securityContext:{{- toYaml .Values.podSecurityContext | nindent 8 }}containers:- name: {{ .Chart.Name }}securityContext:{{- toYaml .Values.securityContext | nindent 12 }}image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"resources:{{- toYaml .Values.resources | nindent 12 }}
Secrets Management
Use External Secrets (Not Helm Values)
yaml
# templates/external-secret.yamlapiVersion: external-secrets.io/v1beta1kind: ExternalSecretmetadata:name: {{ include "mychart.fullname" . }}-secretsspec:refreshInterval: 1hsecretStoreRef:name: aws-secretsmanagerkind: ClusterSecretStoretarget:name: {{ include "mychart.fullname" . }}-secretsdata:- secretKey: db-passwordremoteRef:key: production/databaseproperty: password
helm-secrets Plugin
bash
# Install helm-secrets pluginhelm plugin install https://github.com/jkroepke/helm-secrets# Encrypt values filehelm secrets encrypt values-secrets.yaml# Deploy with encrypted secretshelm secrets install myrelease ./mychart -f values.yaml -f values-secrets.yaml# Decrypt for editinghelm secrets edit values-secrets.yaml
RBAC for Helm Operations
yaml
# helm-deployer-role.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:name: helm-deployernamespace: productionrules:- apiGroups: ["", "apps", "batch", "networking.k8s.io"]resources: ["deployments", "services", "configmaps", "secrets", "ingresses", "jobs"]verbs: ["get", "list", "create", "update", "patch", "delete"]- apiGroups: [""]resources: ["pods", "pods/log"]verbs: ["get", "list"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: helm-deployer-bindingnamespace: productionsubjects:- kind: ServiceAccountname: helm-deployernamespace: productionroleRef:kind: Rolename: helm-deployerapiGroup: rbac.authorization.k8s.io
CI/CD Helm Security Pipeline
yaml
# .github/workflows/helm-security.yamlname: Helm Chart Securityon:pull_request:paths: ['charts/**']jobs:lint-and-scan:runs-on: ubuntu-lateststeps:- uses: actions/checkout@v4- name: Helm lintrun: helm lint ./charts/mychart --strict- name: Render templatesrun: helm template test ./charts/mychart -f charts/mychart/values.yaml > rendered.yaml- name: Scan with kube-linteruses: stackrox/kube-linter-action@v1with:directory: rendered.yaml- name: Scan with trivyuses: aquasecurity/trivy-action@masterwith:scan-type: configscan-ref: rendered.yaml- name: Scan with checkovuses: bridgecrewio/checkov-action@masterwith:file: rendered.yamlframework: kubernetes
Best Practices
- Sign charts with GPG and verify before installation
- Render and scan templates before deploying to catch misconfigurations
- Enforce security contexts in values.yaml defaults
- Never store secrets in Helm values - use external secrets or helm-secrets plugin
- Use image digests instead of tags for immutable references
- Restrict Helm RBAC to least privilege per namespace
- Pin chart versions in requirements - never use
latest - Lint strictly in CI with
--strictflag - Review third-party charts before deploying to production
- Use Helm test hooks to validate deployments post-install