SlideShare a Scribd company logo

Helm Security Webinar

Deep Datta
Deep Datta

For Meetup August 19th

Technology
1 of 78
Download to read offline
Reproducible Security with Helm Charts
● ● ● https://bit.lyChartCenterAugust
Deep Datta deepd@jfrog.com Community Product Manager Twitter @DeepDattaX
Helm 3 Introduction Helm Chart Security Show: Helm Chart Dependency Tools Agenda
Helm 3 Introduction
Helm is the Package Manager for Kubernetes Helm is a package manager for Kubernetes. It helps users create templated packages called Helm Charts to include all Kubernetes resources that are required to deploy a particular application. Helm then assists with installing the Helm Chart on Kubernetes: ● Install ● linting ● status ● test ● verify ● deploy ● upgrade ● rollback
Helm 2 vs Helm 3 Tiller was removed in Helm 3: Removal of Tiller
Helm 2 vs Helm 3 Helm 3 interacts directly with the Kubernetes API Role Based Access Controls
Here are more improvements to Helm 3: Dependencies: used to live in a requirements.yaml file, but are now part of the Chart.yaml file. Releases in namespaces Three-way strategic merge patch OCI Registries for charts Chart validation: JSON Schema support is added Improved CRD support: Kubernetes Custom Resource Definition (CRD) installations Library charts: a class of charts called “library charts” are introduced in Helm 3
New commands help with monitoring Helm status [RELEASE] Displays the status of the named release Helm list | Helm ls Lists all the releases Helm history [RELEASE] The history of releases is printed $ helm history demo-rel REVISION UPDATED STATUS CHART APP VERSION DESCRIPTION 1 Mon Oct 3 10:15:13 2016 superseded alpine-0.1.0 1.0 Initial install 2 Mon Oct 3 10:15:13 2016 superseded alpine-0.1.0 1.0 Upgraded successfully 3 Mon Oct 3 10:15:13 2016 superseded alpine-0.1.0 1.0 Rolled back to 2 4 Mon Oct 3 10:15:13 2016 deployed alpine-0.1.0 1.0 Upgraded successfully
Let’s talk about the structure of a basic Helm Chart Helm Charts Summary When you publish a Helm chart, you can take care of all the security issues beforehand. Helm holds the final package with all of your previously approved configuration options and pieces in place and creates an immutable way to manage security with each chart version and each build being tracked. Chart.yaml Charts Templates values.yaml
Creating your first chart Things to keep in mind
Let’s create our first helm chart Helm create demochart
Demo Chart charts templates Chart.yaml values.yaml
Chart.yaml This is where metadata about the chart lives. You also declare dependencies here. apiVersion: v2 name: demochart description: A Helm chart for Kubernetes type: application version: 0.1.0 appVersion: 1.16.0 dependencies: - name: nginx version: "1.2.3" repository: "https://example.com/charts" - name: memcached version: "3.2.1" repository: "https://another.example.com/charts"
values.yaml This is where you define your configurations options for each deployment replicaCount: 1 image: repository: nginx pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" podAnnotations: {} podSecurityContext: {} # fsGroup: 2000
Templates Folder This is where Helm finds the YAML definitions service.yaml deployment.yaml hpa.yaml Ingress.yaml Serviceaccount.yaml helpers.tpl NOTES.txt
service.yaml Here you can define your set of services for the pods in Kubernetes apiVersion: v2 kind: Service metadata: name: {{ include "demochart.fullname" . }} labels: {{- include "demochart.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} targetPort: http protocol: TCP name: http selector: {{- include "demochart.selectorLabels" . | nindent 4 }}
deployment.yaml Generates the metadata of your deployment apiVersion: v2 kind: Deployment metadata: name: {{ include "demochart.fullname" . }} labels: {{- include "demochart.labels" . | nindent 4 }} spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} {{- end }} selector: matchLabels: {{- include "demochart.selectorLabels" . | nindent 6 }} template: metadata:
demochart/ Chart.yaml values.yaml charts/ templates/ ... The charts/ directory contains subcharts Charts Folder
Helm Chart Security
NAVIGATING HELM CHART SECURITY Set Resource Quotas GPG and Signing Charts Verification and Provenance Pod Security Policies Role-Based Access Controls Network Policies Secrets Management Helm Lint and Cert-Manager Dependencies ChartCenter Mitigation
NAVIGATING HELM CHART SECURITY Set Resource Quotas Checksums 101
Don’t forget to set resource quotas! apiVersion: v2 kind: ResourceQuota metadata: name: resources-demo spec: hard: requests.cpu: "1" requests.memory: 1Gi limits.cpu: "2" limits.memory: 2Gi
SHA-256 and SHA-512 Hash as a Checksum SHA256 for kubernetes.tar.gz: f1e15dff8e36899728c6f305713bd33c6bc98655db25154e8761174b2ac434ea SHA512 for kubernetes.tar.gz: 29ab8fab7645c6ee4583ee45feaae734953d127d1413bdd3f321789607f613646ccf8d67a57c6ce1172a e18ff9a3135a03294cac70077260388c56382ae0301d
NAVIGATING HELM CHART SECURITY GnuPG Signing Charts Verification and Provenance
Step 2: Create the public-private key gpg --gen-key Passphrase: ********* Signing with GnuPGP and the Helm-GPG Plugin Step 1: brew install gpg helm plugin install https://github.com/technosophos/helm-gpg
Example This is my public key -------------------------------------- pub rsa2048 2020-08-10 [SC] [expires: 2022-08-10] 1AD5246C294CD0E06936F7EFA3DB8715C26DE93F uid [ultimate] Deep Datta <deepd@jfrog.com> sub rsa2048 2020-08-10 [E] [expires: 2022-08-10]
Helm package --sign --key ‘demokey’ --keyring ~/.gnupg/secring.gpg demochart GNUPG 2.1 Use the following command to transfer your keys into the old file format: gpg --export-secret-keys >~/.gnupg/secring.gpg Package and Sign the chart
You’ve signed and created a provenance file to track lineage demochart-0.1.0.tgz demochart-0.1.0.tgz.prov
helm verify demochart-0.1.0.tgz Signed by: Deep Datta <deepd@jfrog.com> Using Key With Fingerprint: 1AD5246C294CD0E06936F7EFA3DB8715C26DE93F Chart Hash Verified: sha256:c5aa81aae8c139ea2005e842086a05a299881a71687f2933b7275663e56cded1 Now, we’ll verify the signature:
NAVIGATING HELM CHART SECURITY Pod Security Policies RBAC Service Accounts
Pod Security Policy (PSP) When you enable Pod Security Policies, you can control things like: ● The running of privileged containers ● Use of host namespaces ● Use of host networking and ports ● Use of volume types ● Use of the host filesystem ● Requirements for use of a read only root file system ● The user and group IDs of the container ● Escalations of root privileges kubectl create -f your-new-policy.yaml
Disable privileged containers apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy metadata: name: prevent-privileged-containers spec: privileged: false https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
Read-only file system apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy metadata: name: read-only-fs spec: readOnlyRootFilesystem: true https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
Prevent privilege escalation apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy metadata: name: no-privilege-escalation spec: allowPrivilegeEscalation: false https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
Prevent containers from running as root apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy metadata: name: no-privilege-escalation spec: MustRunAsNonRoot: true https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
Group your policies together apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy Metadata: my-policies name: spec: privileged: false spec: readOnlyRootFilesystem: true spec: allowPrivilegeEscalation: false spec: MustRunAsNonRoot: true https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
Let’s Talk About Pod Access The desired state of each cluster and access privileges within each node is highly configurable. Even pods have security features that can be activated with the admission controller and by assigning unique privileges to users and groups using: Role-Based Access Control (RBAC)
Role-Based Access Control Role ClusterRole RoleBinding ClusterRoleBinding ServiceAccount, User or Group
Namespaces: Default Kube-System Content Role Ruby Role Binding Get, list, watch, update, delete
Service Accounts Who is the user working within the pod? You can create service accounts to limit the permissions. apiVersion: v1 kind: ServiceAccount metadata: name: peddling-lighteningbug-mychart labels: app.kubernetes.io/name: mychart helm.sh/chart: mychart-0.1.0 app.kubernetes.io/instance: peddling-lightningbug app.kubernetes.io/version: "1.1" app.kubernetes.io/managed-by: Tiller imagePullSecrets: - name: acr-auth
NAVIGATING HELM CHART SECURITY Network Policies
Network Policies To limit the access to the nginx service so that only Pods with the label access: true can query it, create a NetworkPolicy object as follows: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default.postgres namespace: default spec: podSelector: matchLabels: app: postgres ingress: - from: - podSelector: matchLabels: app: balance policyTypes: - Ingress
Network Policies They control the traffic in and out of pods: app: postgres Pod Ingress Egress app: fooapp: balance Pod Pod
NAVIGATING HELM CHART SECURITY Secrets Management Helm-Secrets Plugin
Don’t store sensitive information (passwords, authentication credentials, API keys...) in ConfigMaps! Secrets Management Secrets Sensitive data ConfigMaps Key:value pairs that not intended to be hidden
env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mariadb-root-password key: password These are secret!
Secrets Management Best Practices 1 2 3 4 Rotate credentials Encode and Encrypt secrets Isolate where they are used and where they are stored Log and monitor the user of secrets Source: https://www.youtube.com/watch?v=DNKcRUyz4Hw&t=215s
Helm Secrets Plugin Usernames, Passwords, Database Credentials, API Tokens, TLS Certificates We end up putting this in plain text in many different places ...don’t store this in source control helm plugin install https://github.com/futuresimple/helm-secrets
Sops step secrets.yaml diff=sopsdiffer secrets.*.yaml diff=sopsdiffer helm_varsCreate a file .sops.yaml inside helm_vars folder. brew install sops
Supply with our key pair value in plain text. mysecret:password Lets encrypt our secrets.yaml using Helm-secret plugin. $ helm secrets enc ~/helm_vars/secrets.yaml Encrypting secrets.yaml Encrypted secrets.yaml
You can also use Hashicorp Vault for advanced Secrets Management https://www.vaultproject.io/
NAVIGATING HELM CHART SECURITY Helm Commands (Helm Lint)
helm lint demochart ==> Linting demochart [INFO] Chart.yaml: icon is recommended 1 chart(s) linted, 0 chart(s) failed Let’s lint our chart: helm lint is your go-to tool for verifying that your chart follows best practices helm install --dry-run --debug helm get manifest
NAVIGATING HELM CHART SECURITY Certificates
Let’s use cert-manager by Jetstack for TLS
Install Cert-Manager using Helm Charts
TLS with Cert-Manager Then you’ll need to get a TLS certificate by installing cert-manager: # Install the CustomResourceDefinition resources separately: $ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml # Create the namespace for cert-manager: $ kubectl create namespace cert-manager # Install the cert-manager Helm chart from ChartCenter: $ helm install cert-manager helm install center/jetstack/cert-manager You can do a final rollout status check with: $ kubectl -n cert-manager rollout status deploy cert-manager
NAVIGATING HELM CHART SECURITY Dependencies and Mitigation Tools
Creating a subchart $ cd demochart/charts $ helm create mysubchart Creating mysubchart $ rm -rf mysubchart/templates/*.*
Using a trusted registry
Checking Chart Dependencies:
What is a CVE?
ChartCenter Security Tab
For Chart Maintainers, Introducing: security-mitigation.yaml
Here is the spec: ## Schema version of this YAML file schemaVersion: v1 ## Overall mitigation summary summary: text ## External URL if you'd like to link to an external page securityAdvisoryUrl: URL ## If you want to point us to a file instead of filling out the CVE's here useMitigationExternalFile: boolean mitigationExternalFileUrl: URL ## Mitigation notes for individual CVEs mitigations: cves: ## Indicates package Uri for which the security mitigation is provided. helm://… || docker://… affectedPackageUri: ## Which chart versions this cve note belongs to affectedVersions: mastermind SemVer constraint ## Description / note description: text https://github.com/jfrog/chartcenter/blob/master/docs/security-mitigation.yaml
Here is an example of what these notes look like on ChartCenter
NAVIGATING HELM CHART SECURITY Deploy your chart!
Get a Helm Chart from ChartCenter Package and Sign the Chart JFrog Container Registry Deploy and manage our Kubernetes application on a trusted provider
Deploy and manage our Kubernetes application on Rancher’s custom catalogs
How Charts Create Reproducible Security Organizations do not have to replicate each security step. If teams are distributed throughout the world and have multiple environments, such as test, QA, staging and production. Immutable Configurations can be shared Feat Test QA Stage Prod Chart version: 1.5.1
HELM CHART SECURITY
HELM CHART SECURITY BLUEPRINT Set Resource Quotas GPG and Signing Charts Verification and Provenance Pod Security Policies Role-Based Access Controls Network Policies Secrets Management Helm Lint and Cert-Manager Dependencies ChartCenter Mitigation Deploy Your Chart
Q&A deepd@jfrog.com Twitter @DeepDattaX Chartcenter.io
● ● ● https://bit.lyChartCenterAugust

Recommended

Drupal8 render pipeline
Drupal8 render pipelineDrupal8 render pipeline
Drupal8 render pipelineMahesh Salaria
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVCJohn Lewis
 
Testing Web Apps with Spring Framework 3.2
Testing Web Apps with Spring Framework 3.2Testing Web Apps with Spring Framework 3.2
Testing Web Apps with Spring Framework 3.2Rossen Stoyanchev
 
Helm Charts Security 101
Helm Charts Security 101Helm Charts Security 101
Helm Charts Security 101Deep Datta
 
Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!Krishna-Kumar
 
Deploying on Kubernetes - An intro
Deploying on Kubernetes - An introDeploying on Kubernetes - An intro
Deploying on Kubernetes - An introAndré Cruz
 
The automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsThe automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsAna-Maria Mihalceanu
 
Kubernetes walkthrough
Kubernetes walkthroughKubernetes walkthrough
Kubernetes walkthroughSangwon Lee
 

Recommended

Drupal8 render pipeline
Drupal8 render pipelineDrupal8 render pipeline
Drupal8 render pipelineMahesh Salaria
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVCJohn Lewis
 
Testing Web Apps with Spring Framework 3.2
Testing Web Apps with Spring Framework 3.2Testing Web Apps with Spring Framework 3.2
Testing Web Apps with Spring Framework 3.2Rossen Stoyanchev
 
Helm Charts Security 101
Helm Charts Security 101Helm Charts Security 101
Helm Charts Security 101Deep Datta
 
Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!Krishna-Kumar
 
Deploying on Kubernetes - An intro
Deploying on Kubernetes - An introDeploying on Kubernetes - An intro
Deploying on Kubernetes - An introAndré Cruz
 
The automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsThe automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsAna-Maria Mihalceanu
 
Kubernetes walkthrough
Kubernetes walkthroughKubernetes walkthrough
Kubernetes walkthroughSangwon Lee
 
Kubernetes CI/CD with Helm
Kubernetes CI/CD with HelmKubernetes CI/CD with Helm
Kubernetes CI/CD with HelmAdnan Abdulhussein
 
Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion...
Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion... Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion...
Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion...Codemotion
 
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Altinity Ltd
 
Helm.pptx
Helm.pptxHelm.pptx
Helm.pptxSISTechnologies
 
Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Imesh Gunaratne
 
helm101.pdf
helm101.pdfhelm101.pdf
helm101.pdfSamyaBikashSantra1
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using GoCloudOps2005
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewMaría Angélica Bracho
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Helm @ Orchestructure
Helm @ OrchestructureHelm @ Orchestructure
Helm @ OrchestructureMatthew Farina
 
Exploring the Future of Helm
Exploring the Future of HelmExploring the Future of Helm
Exploring the Future of HelmMatthew Farina
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Readme
ReadmeReadme
Readmerec2006
 
Operator Lifecycle Management
Operator Lifecycle ManagementOperator Lifecycle Management
Operator Lifecycle ManagementDoKC
 
Operator Lifecycle Management
Operator Lifecycle ManagementOperator Lifecycle Management
Operator Lifecycle ManagementDoKC
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
New Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaNew Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaGiragadurai Vallirajan
 
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOAltinity Ltd
 
Twelve-Factor serverless applications - MAD307 - New York AWS Summit
Twelve-Factor serverless applications - MAD307 - New York AWS SummitTwelve-Factor serverless applications - MAD307 - New York AWS Summit
Twelve-Factor serverless applications - MAD307 - New York AWS SummitAmazon Web Services
 
Container BoM Inspection with TERN
Container BoM Inspection with TERNContainer BoM Inspection with TERN
Container BoM Inspection with TERNOpen Source Technology Center MeetUps
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 

More Related Content

Similar to Helm Security Webinar

Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion...
Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion... Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion...
Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion...Codemotion
 
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Altinity Ltd
 
Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Imesh Gunaratne
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using GoCloudOps2005
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewMaría Angélica Bracho
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Exploring the Future of Helm
Exploring the Future of HelmExploring the Future of Helm
Exploring the Future of HelmMatthew Farina
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 
Operator Lifecycle Management
Operator Lifecycle ManagementOperator Lifecycle Management
Operator Lifecycle ManagementDoKC
 
Operator Lifecycle Management
Operator Lifecycle ManagementOperator Lifecycle Management
Operator Lifecycle ManagementDoKC
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
New Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaNew Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaGiragadurai Vallirajan
 
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOAltinity Ltd
 
Twelve-Factor serverless applications - MAD307 - New York AWS Summit
Twelve-Factor serverless applications - MAD307 - New York AWS SummitTwelve-Factor serverless applications - MAD307 - New York AWS Summit
Twelve-Factor serverless applications - MAD307 - New York AWS SummitAmazon Web Services
 

Similar to Helm Security Webinar (20)

Kubernetes CI/CD with Helm
Kubernetes CI/CD with HelmKubernetes CI/CD with Helm
Kubernetes CI/CD with Helm
 
Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion...
Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion... Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion...
Helm - the Better Way to Deploy on Kubernetes - Reinhard Nägele - Codemotion...
 
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
Cloud Native ClickHouse at Scale--Using the Altinity Kubernetes Operator-2022...
 
Helm.pptx
Helm.pptxHelm.pptx
Helm.pptx
 
Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2Deep Dive into Kubernetes - Part 2
Deep Dive into Kubernetes - Part 2
 
helm101.pdf
helm101.pdfhelm101.pdf
helm101.pdf
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using Go
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Helm @ Orchestructure
Helm @ OrchestructureHelm @ Orchestructure
Helm @ Orchestructure
 
Exploring the Future of Helm
Exploring the Future of HelmExploring the Future of Helm
Exploring the Future of Helm
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
Readme
ReadmeReadme
Readme
 
Operator Lifecycle Management
Operator Lifecycle ManagementOperator Lifecycle Management
Operator Lifecycle Management
 
Operator Lifecycle Management
Operator Lifecycle ManagementOperator Lifecycle Management
Operator Lifecycle Management
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
New Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaNew Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 beta
 
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEOClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
ClickHouse on Kubernetes! By Robert Hodges, Altinity CEO
 
Twelve-Factor serverless applications - MAD307 - New York AWS Summit
Twelve-Factor serverless applications - MAD307 - New York AWS SummitTwelve-Factor serverless applications - MAD307 - New York AWS Summit
Twelve-Factor serverless applications - MAD307 - New York AWS Summit
 
Container BoM Inspection with TERN
Container BoM Inspection with TERNContainer BoM Inspection with TERN
Container BoM Inspection with TERN
 

More from Deep Datta

Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterSecurity of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterDeep Datta
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterDeep Datta
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeDeep Datta
 
Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talkDeep Datta
 
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeDeep Datta
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeDeep Datta
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Deep Datta
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterDeep Datta
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF MeetupDeep Datta
 

More from Deep Datta (12)

Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
 
Security of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go CenterSecurity of Go Modules and Vulnerability Scanning in Go Center
Security of Go Modules and Vulnerability Scanning in Go Center
 
New Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenterNew Security of Go modules and vulnerability scanning in GoCenter
New Security of Go modules and vulnerability scanning in GoCenter
 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
 
Security of go modules lightning talk
Security of go modules lightning talkSecurity of go modules lightning talk
Security of go modules lightning talk
 
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodeeSecurity of Go Modules and Vulnerability Scanning in Go center and VSCodee
Security of Go Modules and Vulnerability Scanning in Go center and VSCodee
 
Security of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCodeSecurity of Go Modules and Vulnerability Scanning in VSCode
Security of Go Modules and Vulnerability Scanning in VSCode
 
Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)Security of go modules and vulnerability scanning in go center (1)
Security of go modules and vulnerability scanning in go center (1)
 
Security of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenterSecurity of go modules and vulnerability scanning in GoCenter
Security of go modules and vulnerability scanning in GoCenter
 
Security of Go Modules - SF Meetup
Security of Go Modules - SF MeetupSecurity of Go Modules - SF Meetup
Security of Go Modules - SF Meetup
 
Code Alliance
Code AllianceCode Alliance
Code Alliance
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Helm Security Webinar

  • 3. Deep Datta deepd@jfrog.com Community Product Manager Twitter @DeepDattaX
  • 4. Helm 3 Introduction Helm Chart Security Show: Helm Chart Dependency Tools Agenda
  • 6. Helm is the Package Manager for Kubernetes Helm is a package manager for Kubernetes. It helps users create templated packages called Helm Charts to include all Kubernetes resources that are required to deploy a particular application. Helm then assists with installing the Helm Chart on Kubernetes: ● Install ● linting ● status ● test ● verify ● deploy ● upgrade ● rollback
  • 7. Helm 2 vs Helm 3 Tiller was removed in Helm 3: Removal of Tiller
  • 8. Helm 2 vs Helm 3 Helm 3 interacts directly with the Kubernetes API Role Based Access Controls
  • 9. Here are more improvements to Helm 3: Dependencies: used to live in a requirements.yaml file, but are now part of the Chart.yaml file. Releases in namespaces Three-way strategic merge patch OCI Registries for charts Chart validation: JSON Schema support is added Improved CRD support: Kubernetes Custom Resource Definition (CRD) installations Library charts: a class of charts called “library charts” are introduced in Helm 3
  • 10. New commands help with monitoring Helm status [RELEASE] Displays the status of the named release Helm list | Helm ls Lists all the releases Helm history [RELEASE] The history of releases is printed $ helm history demo-rel REVISION UPDATED STATUS CHART APP VERSION DESCRIPTION 1 Mon Oct 3 10:15:13 2016 superseded alpine-0.1.0 1.0 Initial install 2 Mon Oct 3 10:15:13 2016 superseded alpine-0.1.0 1.0 Upgraded successfully 3 Mon Oct 3 10:15:13 2016 superseded alpine-0.1.0 1.0 Rolled back to 2 4 Mon Oct 3 10:15:13 2016 deployed alpine-0.1.0 1.0 Upgraded successfully
  • 11. Let’s talk about the structure of a basic Helm Chart Helm Charts Summary When you publish a Helm chart, you can take care of all the security issues beforehand. Helm holds the final package with all of your previously approved configuration options and pieces in place and creates an immutable way to manage security with each chart version and each build being tracked. Chart.yaml Charts Templates values.yaml
  • 12. Creating your first chart Things to keep in mind
  • 13. Let’s create our first helm chart Helm create demochart
  • 15. Chart.yaml This is where metadata about the chart lives. You also declare dependencies here. apiVersion: v2 name: demochart description: A Helm chart for Kubernetes type: application version: 0.1.0 appVersion: 1.16.0 dependencies: - name: nginx version: "1.2.3" repository: "https://example.com/charts" - name: memcached version: "3.2.1" repository: "https://another.example.com/charts"
  • 16. values.yaml This is where you define your configurations options for each deployment replicaCount: 1 image: repository: nginx pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" podAnnotations: {} podSecurityContext: {} # fsGroup: 2000
  • 17. Templates Folder This is where Helm finds the YAML definitions service.yaml deployment.yaml hpa.yaml Ingress.yaml Serviceaccount.yaml helpers.tpl NOTES.txt
  • 18. service.yaml Here you can define your set of services for the pods in Kubernetes apiVersion: v2 kind: Service metadata: name: {{ include "demochart.fullname" . }} labels: {{- include "demochart.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} targetPort: http protocol: TCP name: http selector: {{- include "demochart.selectorLabels" . | nindent 4 }}
  • 19. deployment.yaml Generates the metadata of your deployment apiVersion: v2 kind: Deployment metadata: name: {{ include "demochart.fullname" . }} labels: {{- include "demochart.labels" . | nindent 4 }} spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} {{- end }} selector: matchLabels: {{- include "demochart.selectorLabels" . | nindent 6 }} template: metadata:
  • 22. NAVIGATING HELM CHART SECURITY Set Resource Quotas GPG and Signing Charts Verification and Provenance Pod Security Policies Role-Based Access Controls Network Policies Secrets Management Helm Lint and Cert-Manager Dependencies ChartCenter Mitigation
  • 23. NAVIGATING HELM CHART SECURITY Set Resource Quotas Checksums 101
  • 24. Don’t forget to set resource quotas! apiVersion: v2 kind: ResourceQuota metadata: name: resources-demo spec: hard: requests.cpu: "1" requests.memory: 1Gi limits.cpu: "2" limits.memory: 2Gi
  • 25.
  • 26. SHA-256 and SHA-512 Hash as a Checksum SHA256 for kubernetes.tar.gz: f1e15dff8e36899728c6f305713bd33c6bc98655db25154e8761174b2ac434ea SHA512 for kubernetes.tar.gz: 29ab8fab7645c6ee4583ee45feaae734953d127d1413bdd3f321789607f613646ccf8d67a57c6ce1172a e18ff9a3135a03294cac70077260388c56382ae0301d
  • 27. NAVIGATING HELM CHART SECURITY GnuPG Signing Charts Verification and Provenance
  • 28. Step 2: Create the public-private key gpg --gen-key Passphrase: ********* Signing with GnuPGP and the Helm-GPG Plugin Step 1: brew install gpg helm plugin install https://github.com/technosophos/helm-gpg
  • 29. Example This is my public key -------------------------------------- pub rsa2048 2020-08-10 [SC] [expires: 2022-08-10] 1AD5246C294CD0E06936F7EFA3DB8715C26DE93F uid [ultimate] Deep Datta <deepd@jfrog.com> sub rsa2048 2020-08-10 [E] [expires: 2022-08-10]
  • 30. Helm package --sign --key ‘demokey’ --keyring ~/.gnupg/secring.gpg demochart GNUPG 2.1 Use the following command to transfer your keys into the old file format: gpg --export-secret-keys >~/.gnupg/secring.gpg Package and Sign the chart
  • 31. You’ve signed and created a provenance file to track lineage demochart-0.1.0.tgz demochart-0.1.0.tgz.prov
  • 32. helm verify demochart-0.1.0.tgz Signed by: Deep Datta <deepd@jfrog.com> Using Key With Fingerprint: 1AD5246C294CD0E06936F7EFA3DB8715C26DE93F Chart Hash Verified: sha256:c5aa81aae8c139ea2005e842086a05a299881a71687f2933b7275663e56cded1 Now, we’ll verify the signature:
  • 33. NAVIGATING HELM CHART SECURITY Pod Security Policies RBAC Service Accounts
  • 34. Pod Security Policy (PSP) When you enable Pod Security Policies, you can control things like: ● The running of privileged containers ● Use of host namespaces ● Use of host networking and ports ● Use of volume types ● Use of the host filesystem ● Requirements for use of a read only root file system ● The user and group IDs of the container ● Escalations of root privileges kubectl create -f your-new-policy.yaml
  • 35. Disable privileged containers apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy metadata: name: prevent-privileged-containers spec: privileged: false https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
  • 36. Read-only file system apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy metadata: name: read-only-fs spec: readOnlyRootFilesystem: true https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
  • 37. Prevent privilege escalation apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy metadata: name: no-privilege-escalation spec: allowPrivilegeEscalation: false https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
  • 38. Prevent containers from running as root apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy metadata: name: no-privilege-escalation spec: MustRunAsNonRoot: true https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
  • 39. Group your policies together apiVersion: policy/v1demobeta1 kind: PodSecurityPolicy Metadata: my-policies name: spec: privileged: false spec: readOnlyRootFilesystem: true spec: allowPrivilegeEscalation: false spec: MustRunAsNonRoot: true https://resources.whitesourcesoftware.com/blog-whitesource/kubernetes-pod-security-policy
  • 40. Let’s Talk About Pod Access The desired state of each cluster and access privileges within each node is highly configurable. Even pods have security features that can be activated with the admission controller and by assigning unique privileges to users and groups using: Role-Based Access Control (RBAC)
  • 43. Service Accounts Who is the user working within the pod? You can create service accounts to limit the permissions. apiVersion: v1 kind: ServiceAccount metadata: name: peddling-lighteningbug-mychart labels: app.kubernetes.io/name: mychart helm.sh/chart: mychart-0.1.0 app.kubernetes.io/instance: peddling-lightningbug app.kubernetes.io/version: "1.1" app.kubernetes.io/managed-by: Tiller imagePullSecrets: - name: acr-auth
  • 44. NAVIGATING HELM CHART SECURITY Network Policies
  • 45.
  • 46. Network Policies To limit the access to the nginx service so that only Pods with the label access: true can query it, create a NetworkPolicy object as follows: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default.postgres namespace: default spec: podSelector: matchLabels: app: postgres ingress: - from: - podSelector: matchLabels: app: balance policyTypes: - Ingress
  • 47. Network Policies They control the traffic in and out of pods: app: postgres Pod Ingress Egress app: fooapp: balance Pod Pod
  • 48. NAVIGATING HELM CHART SECURITY Secrets Management Helm-Secrets Plugin
  • 49. Don’t store sensitive information (passwords, authentication credentials, API keys...) in ConfigMaps! Secrets Management Secrets Sensitive data ConfigMaps Key:value pairs that not intended to be hidden
  • 50. env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: mariadb-root-password key: password These are secret!
  • 51. Secrets Management Best Practices 1 2 3 4 Rotate credentials Encode and Encrypt secrets Isolate where they are used and where they are stored Log and monitor the user of secrets Source: https://www.youtube.com/watch?v=DNKcRUyz4Hw&t=215s
  • 52. Helm Secrets Plugin Usernames, Passwords, Database Credentials, API Tokens, TLS Certificates We end up putting this in plain text in many different places ...don’t store this in source control helm plugin install https://github.com/futuresimple/helm-secrets
  • 53. Sops step secrets.yaml diff=sopsdiffer secrets.*.yaml diff=sopsdiffer helm_varsCreate a file .sops.yaml inside helm_vars folder. brew install sops
  • 54. Supply with our key pair value in plain text. mysecret:password Lets encrypt our secrets.yaml using Helm-secret plugin. $ helm secrets enc ~/helm_vars/secrets.yaml Encrypting secrets.yaml Encrypted secrets.yaml
  • 55. You can also use Hashicorp Vault for advanced Secrets Management https://www.vaultproject.io/
  • 56. NAVIGATING HELM CHART SECURITY Helm Commands (Helm Lint)
  • 57. helm lint demochart ==> Linting demochart [INFO] Chart.yaml: icon is recommended 1 chart(s) linted, 0 chart(s) failed Let’s lint our chart: helm lint is your go-to tool for verifying that your chart follows best practices helm install --dry-run --debug helm get manifest
  • 58. NAVIGATING HELM CHART SECURITY Certificates
  • 59. Let’s use cert-manager by Jetstack for TLS
  • 61. TLS with Cert-Manager Then you’ll need to get a TLS certificate by installing cert-manager: # Install the CustomResourceDefinition resources separately: $ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml # Create the namespace for cert-manager: $ kubectl create namespace cert-manager # Install the cert-manager Helm chart from ChartCenter: $ helm install cert-manager helm install center/jetstack/cert-manager You can do a final rollout status check with: $ kubectl -n cert-manager rollout status deploy cert-manager
  • 62. NAVIGATING HELM CHART SECURITY Dependencies and Mitigation Tools
  • 63. Creating a subchart $ cd demochart/charts $ helm create mysubchart Creating mysubchart $ rm -rf mysubchart/templates/*.*
  • 64. Using a trusted registry
  • 66. What is a CVE?
  • 68. For Chart Maintainers, Introducing: security-mitigation.yaml
  • 69. Here is the spec: ## Schema version of this YAML file schemaVersion: v1 ## Overall mitigation summary summary: text ## External URL if you'd like to link to an external page securityAdvisoryUrl: URL ## If you want to point us to a file instead of filling out the CVE's here useMitigationExternalFile: boolean mitigationExternalFileUrl: URL ## Mitigation notes for individual CVEs mitigations: cves: ## Indicates package Uri for which the security mitigation is provided. helm://… || docker://… affectedPackageUri: ## Which chart versions this cve note belongs to affectedVersions: mastermind SemVer constraint ## Description / note description: text https://github.com/jfrog/chartcenter/blob/master/docs/security-mitigation.yaml
  • 70. Here is an example of what these notes look like on ChartCenter
  • 71. NAVIGATING HELM CHART SECURITY Deploy your chart!
  • 72. Get a Helm Chart from ChartCenter Package and Sign the Chart JFrog Container Registry Deploy and manage our Kubernetes application on a trusted provider
  • 73. Deploy and manage our Kubernetes application on Rancher’s custom catalogs
  • 74. How Charts Create Reproducible Security Organizations do not have to replicate each security step. If teams are distributed throughout the world and have multiple environments, such as test, QA, staging and production. Immutable Configurations can be shared Feat Test QA Stage Prod Chart version: 1.5.1
  • 76. HELM CHART SECURITY BLUEPRINT Set Resource Quotas GPG and Signing Charts Verification and Provenance Pod Security Policies Role-Based Access Controls Network Policies Secrets Management Helm Lint and Cert-Manager Dependencies ChartCenter Mitigation Deploy Your Chart