How to secure the Helm Operator (a little more)
The problem statement for this piece of work was as follows:
As a platform engineer
I want our workloads to be as secure as possible
So that we don’t leave ourselves open to explotation
A slight tangent, but I would recommend using the following tooling to help secure your cluster workloads.
- Polaris (https://www.fairwinds.com/polaris)
- kubeaudit (https://github.com/Shopify/kubeaudit)
I am planning to write another blog post on how we use kubeaudit above as part of our CI process.
Note: Their are many more but these are a good starting point.
The Helm Operator Problem
At Mettle we run a helm operator per namespace in each of our clusters. Therefore the more namespaces in an environment the worse the overall Polaris score. However, if we can lock down this workload we will get increased security and also improve our overall Polaris score. Win, win!
For more information on the Helm Operator please see
Luckily, last week my upstream PR was finally merged (https://github.com/fluxcd/helm-operator/pull/494) this allows security contexts to be set at both the pod and individual container level.
We can now add the following values to your HelmRelease’s.
- name: tmp
mountPath: /tmp extraVolumes:
- name: tmp