How to secure the Helm Operator (a little more)

Problem statement

The problem statement for this piece of work was as follows:

As a platform engineer
I want our workloads to be as secure as possible
So that we don’t leave ourselves open to explotation

Recommended Tooling

A slight tangent, but I would recommend using the following tooling to help secure your cluster workloads.

• Polaris (https://www.fairwinds.com/polaris)
• kubeaudit (https://github.com/Shopify/kubeaudit)

I am planning to write another blog post on how we use kubeaudit above as part of our CI process.

Note: Their are many more but these are a good starting point.

The Helm Operator Problem

At Mettle we run a helm operator per namespace in each of our clusters. Therefore the more namespaces in an environment the worse the overall Polaris score. However, if we can lock down this workload we will get increased security and also improve our overall Polaris score. Win, win!

For more information on the Helm Operator please see
https://github.com/fluxcd/helm-operator

Implementation

Luckily, last week my upstream PR was finally merged (https://github.com/fluxcd/helm-operator/pull/494) this allows security contexts to be set at both the pod and individual container level.

We can now add the following values to your HelmRelease’s.

containerSecurityContext:                             
  helmOperator:
    readOnlyRootFilesystem: true
                                                   extraVolumeMounts:                             
  - name: tmp                               
    mountPath: /tmp                                                   extraVolumes:                             
  - name: tmp                               
    emptyDir: {}