How to secure the Helm Operator (a little more)
Problem statement
The problem statement for this piece of work was as follows:
As a platform engineer
I want our workloads to be as secure as possible
So that we don’t leave ourselves open to explotation
Recommended Tooling
A slight tangent, but I would recommend using the following tooling to help secure your cluster workloads.
- Polaris (https://www.fairwinds.com/polaris)
- kubeaudit (https://github.com/Shopify/kubeaudit)
I am planning to write another blog post on how we use kubeaudit above as part of our CI process.
Note: Their are many more but these are a good starting point.
The Helm Operator Problem
At Mettle we run a helm operator per namespace in each of our clusters. Therefore the more namespaces in an environment the worse the overall Polaris score. However, if we can lock down this workload we will get increased security and also improve our overall Polaris score. Win, win!
For more information on the Helm Operator please see
https://github.com/fluxcd/helm-operator
Implementation
Luckily, last week my upstream PR was finally merged (https://github.com/fluxcd/helm-operator/pull/494) this allows security contexts to be set at both the pod and individual container level.
We can now add the following values to your HelmRelease’s.
containerSecurityContext:
helmOperator:
readOnlyRootFilesystem: true
extraVolumeMounts:
- name: tmp
mountPath: /tmp extraVolumes:
- name: tmp
emptyDir: {}