►
From YouTube: Uncharted Territories: Discovering Vulnerabilities in Public Helm Charts - Hayley Denbraver, Snyk
Description
Uncharted Territories: Discovering Vulnerabilities in Public Helm Charts - Hayley Denbraver, Snyk
CNCF projects are making investments in security (including the recently open sourced security audits of both Kubernetes and Helm). Helm is an interesting case study because both the security of Helm as a tool and the security of Helm Charts are important considerations for users. What do we know about the security of individual Helm Charts, what can we find out, and how does that change how we approach the project? All these questions and more will be addressed as we plot course to Helm Chart security.
A
Hello
and
welcome
to
my
talk
for
kubecon
cloudnativecon
europe
2020..
Thank
you
so
much
for
joining
me
for
uncharted
territories.
Discovering
vulnerabilities
in
public
health
charts,
so
ahoy
welcome.
Thank
you
for
coming
and
my
name
is
haley
dunbraver
and
you
can
reach
out
to
me
on
twitter.
My
handle
is
on
the
screen.
Now
it's
haileydenbee
and
I
would
love
to
hear
from
you.
I
am
a
developer
and
a
developer
advocate
and
I
love
creating
technical
educational
content.
A
I
am
coming
from
my
home
in
seattle
and
I
live
there
with
my
husband
and
my
super
cute
puppy
and
as
much
as
I
love
it
here.
I
wish
we
could
be
together
in
amsterdam
and
last
year
I
actually
had
the
pleasure
of
going
to
a
different
conference
at
the
same
venue
we
were
supposed
to
be
at
so
I
thought
I
would
bring
some
of
the
weird
conference
venue,
weird
statue,
vibe
to
this
virtual
event.
So
it's
it's
almost
like
we're
in
amsterdam
right
now.
A
This
talk
is
part
of
the
beginner
track.
It
is
for
people
who
are
new
to
the
cloud
native
ecosystem,
and
you
know,
cloud
native
is
really
fairly
young
and
in
a
way
we're
all
new,
but
every
kubecon
there
are
tons
of
people
who
it's
their
first
kubecon,
and
I'm
just
here
to
tell
you
if
you're
a
beginner
if
you're
new
at
this
it's
a-okay,
and
I
have
the
talk
for
you.
A
I
also
really
classify
myself
in
this
category
too,
I'm
fairly
new
to
the
ecosystem,
but
I
got
a
chance
to
take
a
look
at
some
interesting
vulnerabilities
that
were
in
public
helm,
charts,
and
so
even
though
I
I'm
new,
I'm
hopeful
that
this
project
will
be
interesting
to
you
and
that
we
can
all
go
away
from
the
talk.
Having
learned
something
now,
this
talk
is
going
to
be
in
about
five
parts.
First,
I'm
going
to
cover
the
cncf
and
their
general
approach
to
security.
A
Secondly,
I'm
going
to
talk
about
helm
as
a
project
and
about
the
security
posture
that
helm
has
and
from
there
we're
going
to
move
on
to
helm,
chart
security
now
helm.
Chart
security
is
distinct
from
helm
security,
because
what
we're
going
to
do
is
really
look
at
the
charts
themselves
and
the
images
contained
within
them
and
after
spending
a
bit
of
time
there
I'm
going
to
step
back
a
little
bit
and
really
bring
it
down
to
an
individual
level
and
discuss
what
everything
we've
talked
about
means
for
an
individual
user.
A
What
does
it
mean
for
you
and
how
can
you
up
your
security
game?
So
I'm
excited
it's
gonna
be
fun.
Now,
first
up
is
the
cncf
and
their
approach
to
security.
A
What
I
really
like
about
how
they
approach
security
is
that
they've
been
thoughtful
and
methodical
about
it,
and
the
first
thing
I
want
to
show
you
is:
it
is
an
image
from
their
website
and
you
may
or
may
not
have
seen
it.
This
image
really
tells
a
story
of
how
a
project
matures
through
the
cncf
ecosystem
and
really
what
sorts
of
users
are
going
to
be
interacting
with
a
project
at
a
particular
maturity
level,
and
why
I
think
this
is
interesting
from
a
security
perspective.
A
So,
basically,
as
a
project
matures
it's
going
to
meet
security
milestones
and
so,
depending
on
your
risk
tolerance,
if
your
risk
tolerance
is
higher,
if
it's
not
a
supercritical
project,
if
you're
not
it's
not
live
to
the
world,
that
sort
of
thing
you're
gonna
be
comfortable
with
the
project
earlier,
but
if
you're
more
conservative,
if
your
risk
tolerance
is
lower,
then
you're
going
to
want
to
hold
off
perhaps
until
something
has
graduated,
and
so
you
can
kind
of
see
how
our
project
evolves
and
how
it
interacts
with
the
users
at
different
stages,
and
I
just
really
like
this
image
now,
what's
extra
exciting
for
helm
today,
as
I
talk
to
you
is
that
helm
has
completed
this
pro
process
earlier
this
year
they
graduated
and
they
are
now
a
graduated
project
within
the
cncf
ecosystem
and
so
congrats
to
the
maintainers.
A
A
So
helm
joins
other
cncf
projects
that
you
know
and
love
in
the
graduation
category,
and
it
was
just
really
nice
to
see
the
project
be
promoted.
Now.
A
They
did
a
bit
of
a
pilot
program
for
a
couple
of
graduated
projects
in,
I
believe
2018
and
2019,
and
it
was
a
success,
and
so
it
has
now
rolled
out
to
all
graduated
projects.
So
I
really
encourage
you
to
read
more
about
this.
I
think
it's
really
interesting.
A
They
have
open
sourced
their
security
audits
and
you
can
learn
more
about
the
projects
and
their
approach
to
security
in
the
following
slide.
There
we
go
so
I'm
going
to
tweet
out
a
link
to
these
slides
and
you'll,
be
able
to
click
through
and
read
something
I
published
last
year
about
how
kubernetes
open
source
their
security
audit.
A
A
Additionally,
I
have
links
here
for
the
specific
helm,
security
audits
and
a
further
security
assurance
that
they
did
a
few
months
back,
and
I
think
it's
just
really
interesting,
reading
and
great
to
see
from
the
cncf
that
they
prioritize
security
in
this
way
and
hold
their
member
projects
accountable,
and
it's
just
been
really
great
to
see.
A
So
we
are
talking
primarily
about
the
helm
project,
though
today
and
helm.
I
want
to
give
you
kind
of
a
an
overview
of
it
and
again
this
may
seem
simplistic
if
you're
not
brand
new,
but
you
know
it's
important
to
say
anyway
and
that's
okay,
so
we're
gonna
talk
about
helm
and
the
first
question
you
may
ask
is
what
is
helm
well.
A
A
A
A
They
come
in
a
couple
of
different
varieties
and
the
ones
that
I'm
going
to
focus
on
are
called
stable,
helm,
charts
and
a
stable
helm
chart
are
charts
that
are
thought
to
be
mature.
So
if
we
think
back
to
that
image
from
earlier
where
a
cncf
project
goes
through
maturity,
levels
and
graduates,
we
can
kind
of
think
of
a
stable
helm
chart
as
having
graduated
it.
A
May
it
meets
some
requirements
that
the
community
sets
and
I
wouldn't
go
to
say
that
it's
like
a
stamp
of
approval,
but
it's
just
an
indication
that
the
chart
has
been
tested
by
the
community
that
it's
trusted
generally,
and
they
also
have
some
criteria
surrounding
security
vulnerabilities
and
that
the
images
should
be
generally
free
of
severe
ones
all
right.
So
we
have
these
stable,
helm,
charts
and
these
charts
are
they
incorporate
container
images
and
the
image
is
the
level
at
which
a
vulnerability
is
actually
present.
A
So
a
container
image
is
an
executable
package
of
code
and
it
has
everything
you
need
to
run
an
application,
so
a
given
chart
can
contain
or
it
can
make
use
of
a
number
of
images
or
none,
but
you'll
find
that
most
charts
use
one
or
more
of
these
and
the
vulnerabilities
we're
going
to
talk
about
are
at
this
level.
This
is
where
they're
introduced
at
this
container
image
level
all
right.
A
So
we
have
helm
the
project
which
has
you
know,
completed
this
security,
audit
and
helm.
This
package
manager
has
charts,
some
of
which
are
community
trusted,
and
you
know
somewhat
approved
by
the
community
in
these
stable
chart
versions,
and
these
charts
contain
images
and
the
images
are
where
vulnerabilities
occur.
A
So
that's
the
broad
landscape
of
of
what
we're
talking
about
and
of
where
problems
might
be
introduced
and
let's
dig
a
little
bit
deeper
into
the
security
of
these
charts.
A
All
right
so
helm
chart
security,
and
the
first
thing
to
say
is
that
this
is
definitely
distinct
from
helm
security.
So
the
security
report,
the
audit
that
helm
went
that
helm
went
through
is
really
about
their
process.
The
project
itself,
the
source
code
for
that
project.
A
It
didn't
really
incorporate
charts,
because
charts
are
things
that
you
and
I
can
make
they're
the
community
they're,
not
the
project
itself.
So,
even
though
we
have
this
security
audit
for
the
tool
of
helm,
we
do
really
need
to
think
about
whether
there
are
vectors
and
problems
within
these
charts.
A
So
last
year
I
had
the
pleasure
of
looking
into
this
in
more
depth
and
I
wrote
a
report
that
we
called
uncharted
territories.
The
untold
tale
of
helm
chart
security,
and
this
was
really
exciting
because
you
know
I
wrote
it,
but
I
worked
with
some
people
within
snake
who
really
really
know
the
ecosystem,
and
we
were
communicating
with
some
maintainers
and
that
sort
of
thing,
and
just
going
back
and
forth
about
these
things
and
finding
vulnerabilities
and
being
surprised
at
what's
there
and
it's
just
really
exciting.
A
A
We're
going
to
talk
specifically
about
vulnerabilities
within
these
images
and
a
vulnerability
for
the
purpose
of
this
talk
is
an
exploitable
issue
present
in
a
container
image,
and
these
vulnerabilities
can
be
divided
into
different
classes.
You
can
kind
of
sort
them
by
type
and
each
of
these
types
they
they
correspond
roughly
to
cwe's,
which
is
a
common
web
enumeration.
It's
a
community
developed
list
of
software
security
problems.
A
So
just
real
quick,
too.
A
If
images
are
interesting
because
you
can
kind
of
think
of
them
as
like
building
blocks
or
you
know,
you're
putting
together
something-
and
you
may
think
that
if
I
haven't
a
vulnerability
in
a
given
chart
that
it's
in
one
place,
but
really
if
the
little
block
that
you're
using
to
build
this
has
a
problem
in
it.
And
then
you
use
that
block
in
several
places.
A
A
Taking
care
of
the
entire
problem,
it
could
be
elsewhere
in
your
image
that
sort
of
thing-
and
so
I
just
wanted
to
put
this
up
here,
so
it's
clear
that
we're
not
double
counting
if
that
makes
sense,
even
though
the
vulnerabilities
may
match
they're
present
in
multiple
places.
So
let
me
show
you
the
tools
I
used
to
find
these
vulnerabilities.
A
First
off,
I
used
an
open
source,
helm
plugin
that
was
written
and
maintained
by
some
of
my
teammates
at
sneak,
and
you
can
use
this
too.
All
you
need
is
a
free
sneak
account
and
to
follow
the
instructions
that
are
provided
on
the
readme
I'll
also
have
a
link
for
this
later
in
the
presentation.
If
you
are
curious
to
test
your
own
charts,
so
I
have
this
plugin
and
this
plug-in.
What
it
basically
does
is
for
a
given
chart.
A
It
figures
out
what
which
images
are
being
used
and
those
images
are,
you
know
they
have
operating
system
dependencies
and
those
are
checked
against
a
vulnerability
database
that
sneak
maintains
and
then
the
plug-in
gives
back
a
bunch
of
information
about
the
vulnerabilities
present
their
severity,
where
they're
found
how
often
they
occur
in
the
image
or
in
the
chart
and
you're
able
to
get
a
holistic
a
wide-ranging
view
of
the
security
of
this
chart.
So
it's
really
interesting.
A
I
encourage
you
to
try
it
out
and
to
dig
into
the
data
that's
provided
by
this
plugin
and
again
it's
open
source
all
right.
So
so
I
used
the
tool
we
talked
about
earlier.
A
This
sneak
plugin
for
helm
and
I
ran
it
against
every
chart
that
is
available
in
the
helm,
charts
repo
within
their
stable
folder,
and
I
had
some
python
scripts
that
do
this
and
it
would
go
through
and
find
all
the
stable
charts
and
run
this
test
right
and
load
that
up
into
a
database
got
some
data
and
took
a
look
into
it
and
see
what
we
could
see.
Basically
now
the
following
are
some
basic
helm:
chart
landscape,
just
basic
things.
A
We
learned
about
what
are
in
the
public
health
charts,
and
then
I
have
some
more
specifics
about
the
types
of
vulnerabilities
and
you
know
what
we
see
most
often,
that
kind
of
thing
so
general
general
thoughts
is
that
most
of
the
stable
helm
charts
are
using
an
associated
container
image.
A
It
was
higher
than
I
thought
it
would
be,
but
we
also
found
that
there
are
a
total
of
more
than
30
000
operating
system
package
dependencies.
So
we're
really
talking
about
a
lot
of
different
dependencies
and
in
total,
more
than
40
000
vulnerabilities
have
been
found.
Now
these
are
unique
vulnerabilities.
A
So
to
continue
in
that
vein,
the
sorry
the
average
chart
contains
two
images
and
all
of
the
charts
or
like,
if
you
consider,
okay,
how
many
images
are
used
throughout
these
public,
stable
helm,
charts
and
the
answer
that
is
around
416.
A
for
an
average
chart
you're
going
to
have
about
80
81
operating
system
package
dependencies
per
image.
So
if
you're
using
two
images,
you'll
have
twice
that
generally
and
an
image
could
have
anywhere
between
zero
operating
system
dependencies
to
more
than
500,
and
this
will
correspond
to
anywhere
between
no
vulnerabilities
and
nearly
a
thousand
vulnerabilities
per
image,
and
those
numbers
can
seem
kind
of
intimidating,
or
at
least
I
I
thought
so,
but
when
we
really
look
at
it
it
it
gets
a
little
bit.
A
Cheerier
and
one
thing
I
would
say
that
surprised
me
is
that
we
found
that
six
images
were
could
account
for
nearly
half
of
or
so
six
images
accounted
for,
nearly
half
of
the
vulnerable
images
that
were
used
within
these
charts,
and
that
was
really
interesting
to
me.
It's
not
to
say
that
these
images
are
the
most
insecure
or
the
worst
or
anything
like
that.
Don't
don't
take
that
away
from
it?
A
What
it
just
means
is
these
images
are
used
frequently
and
they
do
have
some
vulnerabilities
and
because
of
that,
those
vulnerabilities
crop
up
more
frequently
than
perhaps
more
severe
vulnerabilities
found
in
more
obscure
images.
So
it's
not
necessarily
to
say
that,
like
these
are
bad
offenders
or
anything
like
that.
We
just
want
to
understand
where
the
share
of
the
vulnerabilities
are
found
and
what
we
can
do
about
it
so
to
continue.
A
A
So
the
thing
is,
you
know
you
will
find
some
pretty
severe
problems
and
they're
really
things
that
we're
gonna
want
to
look
at
and
consider
how
we
might
remediate
or
how
we
might
further
protect
ourselves.
A
So
I
also
wanted
to
point
out
this
chart,
which
is
it'll,
show
us
the
share.
Each
kind
of
vulnerability
has
within
the
landscape,
and
I
have
picked
the
top
three
to
discuss
just
a
little
bit
further
and
we'll
be
able
to
basically
know
what
sorts
of
things
you
could
do
to
protect
yourself.
A
A
They
can
either
be
out
of
bounds,
read
or
out
of
bounds
right
and
in
either
case
it
involves
accessing
data
outside
of
the
intended
buffer,
and
in
this
case
you
can
solve
a
lot
of
these
issues
and
protect
yourself
with
careful
handling
of
input
data.
So
it
may
include
a
white
list
system.
A
You
may
check
buffer
links,
so
you
can
be
sure
you're,
not
getting
data
you're,
not
expecting
that
sort
of
thing.
So,
even
if
these
are
present,
there
are
things
that
you
can
do
to
help
protect
your
project
against
this.
So
of
the
two
types
out
of
bound
right
is
more
of
a
problem
because,
in
addition
to
accessing
data,
you
may
find
someone
who
is
able
to
execute
some
code
and
the
possibility
of
this
malicious
code
execution.
A
A
You
can
also
make
sure
that
the
destination
buffer
size
is
equal
to
the
source
and
truncate
anything
that
doesn't
make
sense,
and
if
you
do
these
sorts
of
things
it
it'll
help
you
be
more
secure
and
you'll
have
to
worry
less
about
this
kind
of
vulnerability.
A
All
right.
So
after
out
of
bounds,
we're
gonna
talk
about
access
restriction
bypass
now,
access
restriction,
bypass
vulnerabilities
are
the
second
most
common
type
that
I
found
in
the
helm,
charts
and
an
access
restriction
bypass
can
occur,
a
number
of
different
ways
you
can
think
about
it
as
like.
Basically,
someone
is
able
to
get
past
a
check
of
their
identity
in
some
way,
so
in
real
life.
A
So
that's
that's
a
real
life
kind
of
version
of
that,
but
you
may
also
be
able
to
do
things
that
the
creator
may
not
wanted
to
have.
Given
you
that
permission,
so
maybe
someone
in
the
club
is
able
to
charge
a
drink
to
a
tab
that
they
shouldn't
have
access
to
that
kind
of
thing
for
the
real
life
example.
A
So,
finally,
the
accountability
might
be
bypassed.
So
what
this
means
is
that
generally
you're
gonna
do
some
logging
of
user
behavior
and
if
you're
intending
to
do
this,
but
you
don't
someone
could
be
doing
malicious
things
and
it's
not
getting
recorded
and
it's
flying
under
your
radar.
A
A
Enforcement
occurs
when
the
program
fails
to
adhere
to
the
guidelines
that
an
admin
sets.
So
if
there's
a
known
enforcement
problem,
you'd
be
well
you,
it
would
just
serve
you
well
to
write
some
tests
and
run
them
and
ensure
that
your
highly
sensitive
data,
your
highly
sensitive
data
and
your
highly
sensitive
functionality
are
protected.
A
So
what
this
means
for
you
is
remediation
fix.
The
images
choose
images.
Well,
if
you
can
use
your
tools
with
open
eyes
and
consider
all
of
your
vectors.
So
what
I
mean
by
that
is,
you
may
feel
good
about
using
helm,
and
you
should
because
they
have
invested
in
security
right,
but
you
want
to
use
the
tool
with
open
eyes,
knowing
that
there
could
be
problems
and
knowing
that
problems
could
come
from
different
vectors,
like
the
charts.
A
A
A
This
is
a
big
deal
and
all
all
graduated
projects
should
use
secure
by
default
configurations,
but
you
want
to
be
thoughtful
about
this
and
it'd
be
good
to
run
this
by
someone
if
you're
unsure.
So
I
do
want
to
say.
Thank
you.
Thank
you
for
having
me
it's
been
a
pleasure.
A
Thank
you
to
the
helm,
maintainers
you've
done
excellent
work
and
I'm
so
happy
for
you
that
your
project
graduated.
Thank
you
to
the
folks
listed
here
who
are
on
my
team
at
sneak.
You
were
very
helpful
and
and
great
and
thank
you
to
growth
labs,
who
is
responsible
for
some
of
the
images
shown
in
this.