Blog Image
Using Helm Charts to improve your Kubernetes Security: A Best Practice Study
09 July 2021

Using Helm Charts to improve Kubernetes Security: A Best Practice Study

There is no contest in the fact that the Kubernetes containerized approach has made running cloud-native applications on physical and virtual infrastructure more flexible. However, while Kubernetes is very handy for cloud-native developers, it has some drawbacks and requires additional support from external tools. Often developers turn to open source tools for assistance to solve these shortcomings. Working in tandem with other worldwide developers and freely sharing knowledge is what makes open source tools so great. Helm charts is one such open source tool. 

But what are Helm charts and why is Helm one of the top choices of developers in executing cloud services? Let’s take a brief look.

 


What are Helm Charts?

Helm Charts are packages of Kubernetes YAML manifests that can be easily advertised to Kubernetes clusters. Once packaged, a Helm Chart can be easily installed into the cluster using a single helm install. This makes deployment of containerised applications simple and effective

Helm charts provide several distinctive advantages. The main three advantages are as given below:

  • Improved productivity
  • Reduced microservice deployment complexity
  • Better adaptation of cloud native applications

 


Why use Helm?

Operating on Kubernetes alone can be a tedious process. Writing and maintaining Kubernetes YAML manifests for all the Kubernetes objects in itself can be time-consuming.In fact, even the simplest of deployments can require a minimum of 3 YAML manifests containing duplicate and hardcoded values. Helm reduces the complexity of this process by creating a single package that can be advertised to clusters.

 


Components of Helm

A Helm chart consists of two parts:

  1. The Client (CLI) that is located on your local workstation.
  2. The Server (Tiller) that is located on the Kubernetes Cluster to help with execution.

Developers use the CLI to push charts which are then created/ updated/ deleted from the chart by the tiller. The charts are packages of pre-configured Kubernetes resources which are deployed or released into the cluster using the Tiller. Over time, these chart repositories can be shared with other developers.

 


Creating a Helm Chart

Each Helm chart has a distinct structure at the time of creation. Run “helm create YOUR-CHART-NAME” to create a new chart. The newly created chart will have a directory structure as given below:

YOUR-CHART-NAME/
  |
  |- .helmignore
  |
  |- Chart.yaml
  |
  |- values.yaml
  |
  |- charts/
  |
  |- templates/

.helmignore: This holds files that can be ignored at the time of packaging a chart.

Chart.yaml: All information pertaining to the chart you are packaging such as version number is given here.

Values.yaml: All the values to be inserted into the templates are defined here.

Charts: All dependent charts that may be called in the chart you are deploying are given here. Without these additional charts, your chart may not function properly.

Templates: The actual manifest that is being deployed with the chart is placed here

 


Installing Helm

As a client/server application, Helm has relied on Tiller (the helm server) for deployment into client clusters until recently. Tiller receives client requests and installs the package into the cluster directly. In a way, Helm can be compared to the RPM of DEB packages in Linux. They provide a convenient and easy way for developers to package and ship their developed applications to the clients servers for installation.

Once Helm installation and configuration is complete, other production-ready applications such as MongoDB, MySQL, etc can be installed into the client Kubernetes cluster with just a single helm install command. Removing installed applications from the client cluster is just as easy too.


Benefits of Helm

Developers prefer to use Helm charts for several reasons:

1. Boosts productivity

Helm helps increase the productivity of software engineers by allowing them to deploy their test environment at just the click of a button. This helps software engineers to continue doing what they are best at, that is, writing code.

For example, an engineer will need a SQL database to test any new features created. Instead of going old school and spending time on installing the software locally followed by creating the database and tables required, all an engineer needs to do is simply run a simple helm install command to be database ready for testing.

2. Reduced complexity

Once created, a chart can be used repeatedly for any environment without the complexity of creating something new for dev, test, and prod every time. In most cases, existing charts can be fine-tuned to apply to a different environment. The advantage of charts is having readymade packages primed for deployment during the development phase.

3. Eases Kubernetes learning

Learning Kubernetes is no small feat. For the average developer, it is a time-consuming process. However, with the availability of Helm charts, it no longer is necessary for Kubernetes developers to have a detailed understanding of all the Kubernetes functions. They can simply use packaged Helm charts to develop and deploy container applications. As Helm charts easily integrate into CI/CD pipelines, software engineers can focus on writing code rather than deploying applications.

4. Simplifies deployments

Helm Charts have the capability to easily override defaults in the values.yaml file. This enables developers to override the preexisting settings to define a base setting as needed. In cases where the default installation is required, the developers or software vendors can merely skip the override option.

A developer working on pure Kuberenetes would need to have specific knowledge about the different objects, their functions, and how they are coupled to be able to deploy an application. Helm simplifies the process of deployment of Kubernetes by reducing the complexity of work involved.

 


How to Enforce Helm Security in an Automated Way

Helm charts have made the deployment and management of Kubernetes services simpler. By packaging dependencies and following best-practices in default settings, Helm chart deployments can be scaled. In addition, misconfigurations can also be avoided.

Open source Helm charts can be easily accessed from digital repositories such as Artifact Hub, Chart Museum, GitHub, and Helm.sh. These repositories have a large collection of charts that can be used to quickly and easily deploy databases into your cluster and other pre-configured services. Since Kubernetes manifests and commands are bundled with pre-vetted default values, Helm charts make scaling internal and external deployments easier. 

However, securing Helm charts is not the easy feat that securing a Kubernetes manifest is. This is mainly due to the various misconfigurations found in some of the charts such as omitting the resource limits and running root containers that are in violation of CIS Kubernetes Benchmarks. This makes it important for developers to take the responsibility to secure Helm charts before deploying them into their production environments.

Securing of Helm charts can be done early on by checking for misconfigurations at the time of downloading and fixing them. Helm charts simplify this process through versioning and rollbacks in case security patches cause interference in deployment.

Updating the misconfiguration fixes in helm charts increases their scalability and ensures that the next team that deploys the charts will have secure defaults. This will lower the possibility of attacks on the Kubernetes application


A final word

In short, Helm charts take out the complexity of application deployment to Kubernetes. Using secure Helm chart repositories reduces the time of deployment and increases security. It also significantly reduces the complexity of knowledge required to operate on Kubernetes. Helm charts offer developers an easy and efficient way of application development.

As a Kubernetes Certified Service Provider (KCSP) with the Cloud Native Computing Foundation (CNCF), Stackgenie can support your organisation to go cloud native with Kubernetes.