Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Helm

Alex Khaerov
May 28, 2019
44

Securing Helm

Helm, the tool for managing Kubernetes packages called charts
Agenda
===
Helm… What is Helm?
Helm architecture
An attack vector
Securing Helm: RBAC, Release, Chart repo, gRPC…
Helm future and alternatives
Q&A

Alex Khaerov

May 28, 2019
Tweet

Transcript

  1. @hayorov
    #
    %
    ' ⛓

    View full-size slide

  2. Securing Helm
    Alex Khaerov
    hayorov

    View full-size slide

  3. @hayorov
    @hayorov
    Привет ✋

    View full-size slide

  4. @hayorov
    company
    who I am

    View full-size slide

  5. @hayorov
    Alex Khaerov
    company
    who I am Development Lead

    View full-size slide

  6. @hayorov
    Alex Khaerov
    company
    who I am Development Lead
    doing software development in the recent decade
    junior speaker - Python, Kubernetes
    committee member (Moscow Python, Helm Summit)
    huge fan of laptop stickers

    View full-size slide

  7. @hayorov
    Chainstack
    multi-cloud and multi-blockchain platform as a service
    based in Singapore *
    Alex Khaerov
    company
    who I am Development Lead
    doing software development in the recent decade
    junior speaker - Python, Kubernetes
    committee member (Moscow Python, Helm Summit)
    huge fan of laptop stickers

    View full-size slide

  8. @hayorov
    Helm… What is Helm?
    Helm architecture
    An attack vector
    Securing Helm: RBAC, Release, Chart repo, gRPC…
    Helm future and alternatives
    Q&A
    Agenda

    View full-size slide

  9. @hayorov
    the tool for managing
    Kubernetes packages
    called charts

    View full-size slide

  10. @hayorov
    the tool for managing
    Kubernetes packages
    called charts

    View full-size slide

  11. @hayorov
    12k
    1k*
    * GitHub starts, Jan 2019
    the tool for managing
    Kubernetes packages
    called charts

    View full-size slide

  12. @hayorov
    nurtured by
    12k
    1k*
    * GitHub starts, Jan 2019
    the tool for managing
    Kubernetes packages
    called charts

    View full-size slide

  13. @hayorov
    September 11 - 12, 2019

    Pakhuis de Zwijger

    Amsterdam,
    The Netherlands
    https://events.linuxfoundation.org/events/helm-summit-2019/
    CFP is open – Apply now! | #helmsummit

    View full-size slide

  14. @hayorov
    Helm addresses several needs

    View full-size slide

  15. @hayorov
    Packaging
    Helm addresses several needs

    View full-size slide

  16. @hayorov
    Manage complexity
    Packaging
    Helm addresses several needs

    View full-size slide

  17. @hayorov
    Manage complexity
    Packaging Application lifecycle
    Helm addresses several needs

    View full-size slide

  18. @hayorov
    Manage complexity
    Packaging Application lifecycle
    Application metadata
    Repositories
    Package dependencies
    Helm addresses several needs

    View full-size slide

  19. @hayorov
    Manage complexity
    Packaging Application lifecycle
    Application metadata
    Repositories
    Package dependencies
    Helm addresses several needs
    Parametrisation
    Templating

    View full-size slide

  20. @hayorov
    Manage complexity
    Packaging Application lifecycle
    Application metadata
    Repositories
    Package dependencies
    Helm addresses several needs
    Parametrisation
    Templating
    Deploy/config revisions
    Rollbacks
    Hooks
    Application probes

    View full-size slide

  21. @hayorov
    “Batteries included”
    Manage complexity
    Packaging Application lifecycle
    Application metadata
    Repositories
    Package dependencies
    Helm addresses several needs
    Parametrisation
    Templating
    Deploy/config revisions
    Rollbacks
    Hooks
    Application probes

    View full-size slide

  22. @hayorov
    “Batteries included”
    Manage complexity
    Packaging Application lifecycle
    Application metadata
    Repositories
    Package dependencies
    Helm addresses several needs
    Parametrisation
    Templating
    Deploy/config revisions
    Rollbacks
    Hooks
    Application probes
    CLI plugins

    View full-size slide

  23. @hayorov
    There are three important concepts

    View full-size slide

  24. @hayorov
    Chart
    There are three important concepts

    View full-size slide

  25. @hayorov
    Chart Config
    There are three important concepts

    View full-size slide

  26. @hayorov
    Chart Config
    Release
    There are three important concepts

    View full-size slide

  27. @hayorov
    Chart Config
    Release
    Config
    There are three important concepts

    View full-size slide

  28. @hayorov
    Helm architecture

    View full-size slide

  29. @hayorov
    Helm architecture
    kube-apiserver

    View full-size slide

  30. @hayorov
    Helm architecture
    Kubeconfig
    kube-apiserver

    View full-size slide

  31. @hayorov
    Helm architecture
    Helm CLI Kubeconfig
    kube-apiserver

    View full-size slide

  32. @hayorov
    Helm architecture
    Helm CLI
    Tiller
    Kubeconfig
    kube-apiserver

    View full-size slide

  33. @hayorov
    Helm architecture
    Helm CLI
    Chart Repo
    Tiller
    Kubeconfig
    kube-apiserver

    View full-size slide

  34. @hayorov
    Helm architecture
    Helm CLI
    Chart Repo
    Tiller
    Kubeconfig
    kube-apiserver

    View full-size slide

  35. @hayorov
    Helm architecture
    Helm CLI
    Chart Repo
    Tiller
    Kubeconfig
    kube-apiserver

    View full-size slide

  36. @hayorov
    Helm architecture
    Helm CLI
    Chart Repo
    Tiller
    Kubeconfig
    kube-apiserver

    View full-size slide

  37. @hayorov
    Helm architecture
    Helm CLI
    Chart Repo
    Tiller
    Kubeconfig
    kube-apiserver

    View full-size slide

  38. @hayorov
    several angles from which someone might try to abuse Helm/Tiller:
    An attack vector

    View full-size slide

  39. @hayorov
    several angles from which someone might try to abuse Helm/Tiller:
    An attack vector
    • A privileged API user, such as a cluster-admin.

    View full-size slide

  40. @hayorov
    Helm architecture
    Helm CLI
    Chart Repo
    Kubeconfig
    Tiller

    View full-size slide

  41. @hayorov
    Helm architecture
    Helm CLI
    Chart Repo
    Kubeconfig
    Tiller
    Admin

    View full-size slide

  42. @hayorov
    several angles from which someone might try to abuse Helm/Tiller:
    An attack vector
    • A privileged API user, such as a cluster-admin.

    View full-size slide

  43. @hayorov
    • A low-privilege API user, such as a user who has been restricted to a single
    namespace using RBAC
    several angles from which someone might try to abuse Helm/Tiller:
    An attack vector
    • A privileged API user, such as a cluster-admin.

    View full-size slide

  44. @hayorov
    Helm architecture
    Helm CLI
    Chart Repo
    Kubeconfig
    Tiller
    Admin

    View full-size slide

  45. @hayorov
    Helm architecture
    Helm CLI
    Chart Repo
    Kubeconfig
    Tiller
    Admin
    Non-admin

    View full-size slide

  46. @hayorov
    • A low-privilege API user, such as a user who has been restricted to a single
    namespace using RBAC
    several angles from which someone might try to abuse Helm/Tiller:
    An attack vector
    • A privileged API user, such as a cluster-admin.

    View full-size slide

  47. @hayorov
    • A low-privilege API user, such as a user who has been restricted to a single
    namespace using RBAC
    • An in-cluster process, such as a compromised webserver.
    several angles from which someone might try to abuse Helm/Tiller:
    An attack vector
    • A privileged API user, such as a cluster-admin.

    View full-size slide

  48. @hayorov
    Helm CLI
    Chart Repo
    Kubeconfig
    An attack vector
    Tiller
    Admin
    Non-admin

    View full-size slide

  49. @hayorov
    Helm CLI
    Chart Repo
    Kubeconfig
    An attack vector
    Tiller
    Admin
    Non-admin

    View full-size slide

  50. @hayorov
    • A low-privilege API user, such as a user who has been restricted to a single
    namespace using RBAC
    • An in-cluster process, such as a compromised webserver.
    several angles from which someone might try to abuse Helm/Tiller:
    An attack vector
    • A privileged API user, such as a cluster-admin.

    View full-size slide

  51. @hayorov
    • A hostile chart author can create a chart containing unexpected resources.
    These can either escalate one of the other groups above, or run other malicious
    jobs.
    • A low-privilege API user, such as a user who has been restricted to a single
    namespace using RBAC
    • An in-cluster process, such as a compromised webserver.
    several angles from which someone might try to abuse Helm/Tiller:
    An attack vector
    • A privileged API user, such as a cluster-admin.

    View full-size slide

  52. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    Kubeconfig
    An attack vector
    Tiller
    Admin
    Non-admin

    View full-size slide

  53. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    Kubeconfig
    An attack vector
    Tiller
    Admin
    Non-admin

    View full-size slide

  54. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    Kubeconfig
    Helm architecture

    View full-size slide

  55. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    Kubeconfig
    Helm architecture

    View full-size slide

  56. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    Kubeconfig
    Helm architecture

    View full-size slide

  57. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    Kubeconfig
    Helm architecture

    View full-size slide

  58. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    Kubeconfig
    Helm architecture

    View full-size slide

  59. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    Kubeconfig
    Helm architecture

    View full-size slide

  60. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    Kubeconfig
    An attack vector

    View full-size slide

  61. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    HTTP
    Kubeconfig
    An attack vector

    View full-size slide

  62. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    HTTP
    Kubeconfig
    gRPC
    An attack vector

    View full-size slide

  63. @hayorov
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Tiller-deploy

    pod
    Service
    Account
    Release

    svc
    Release

    configmap
    HTTP
    Kubeconfig
    gRPC
    gRPC
    An attack vector

    View full-size slide

  64. @hayorov
    • Turn RBAC on
    • Tiller uses the default service account 

    in a namespace
    Kubernetes RBAC
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Release
    configmap (RBAC)
    Default

    Service Account
    Rest API

    View full-size slide

  65. @hayorov
    • Turn RBAC on
    • Tiller uses the default service account 

    in a namespace
    Kubernetes RBAC
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Release
    configmap (RBAC)
    Default

    Service Account
    Rest API
    advocacy site for RBAC
    https://rbac.dev/

    View full-size slide

  66. @hayorov
    • Turn RBAC on
    • Tiller uses the default service account 

    in a namespace
    Kubernetes RBAC
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Release
    configmap (RBAC)
    Default

    Service Account
    Rest API

    View full-size slide

  67. @hayorov
    • Turn RBAC on
    • Tiller uses the default service account 

    in a namespace
    Kubernetes RBAC
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Release
    configmap (RBAC)
    Rest API

    View full-size slide

  68. @hayorov
    Role
    RoleBinding
    • Turn RBAC on
    • Tiller uses the default service account 

    in a namespace
    Kubernetes RBAC
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Release
    configmap (RBAC)
    Rest API

    View full-size slide

  69. @hayorov
    Role
    RoleBinding
    • Turn RBAC on
    • Tiller uses the default service account 

    in a namespace
    Kubernetes RBAC
    • helm init does not create the associated

    ServiceAccount/Roles/RoleBindings ☝
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Release
    configmap (RBAC)
    Rest API

    View full-size slide

  70. @hayorov
    Kubernetes RBAC
    Helm CLI Kubeconfig
    gRPC
    K8s cluster
    kube-system ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Tiller-deploy

    pod
    Service
    Account
    Helm CLI Kubeconfig
    Cluster Admin
    X Team
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Tiller-deploy

    pod
    Service
    Account
    Release

    deployment
    Release

    svc
    Release

    configmap
    RestAPI

    RBAC
    gRPC RestAPI

    RBAC
    • No multi-tenancy support
    • Solution - Multi-Tiller installations
    • Per developer, per team, per environment
    X Team ns
    ?

    View full-size slide

  71. @hayorov
    Kubernetes RBAC
    Helm CLI Kubeconfig
    gRPC
    K8s cluster
    kube-system ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Tiller-deploy

    pod
    Service
    Account
    Helm CLI Kubeconfig
    Cluster Admin
    X Team
    Kube-api

    server
    Tiller-deploy

    svc
    Release
    configmap
    Tiller-deploy

    pod
    Service
    Account
    Release

    deployment
    Release

    svc
    Release

    configmap
    RestAPI

    RBAC
    gRPC RestAPI

    RBAC
    • No multi-tenancy support
    • Solution - Multi-Tiller installations
    • Per developer, per team, per environment
    X Team ns

    View full-size slide

  72. @hayorov
    • By default Tiller stores releases

    information in ConfigMaps
    Release information
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Role
    RoleBinding
    Release

    secrets
    RBAC
    Release

    secrets
    Release

    configmap

    View full-size slide

  73. @hayorov
    • By default Tiller stores releases

    information in ConfigMaps
    Release information
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Role
    RoleBinding
    Release

    secrets
    RBAC
    Release

    secrets
    Release

    configmap

    View full-size slide

  74. @hayorov
    • By default Tiller stores releases

    information in ConfigMaps
    Release information
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Role
    RoleBinding
    Release

    secrets
    RBAC
    Release

    secrets
    Release

    configmap
    Is this the
    1MB limit?

    View full-size slide

  75. @hayorov
    • Use HTTPS always
    • Publish signed charts
    • Helm client supports TLS
    • Chartmuseum supports basic auth
    • helm-gcs plugin with GCP auth
    Chart Repos
    Helm CLI
    Signed

    Chart Repo
    fetch
    Chart Repo

    View full-size slide

  76. @hayorov
    • Use HTTPS always
    • Publish signed charts
    • Helm client supports TLS
    • Chartmuseum supports basic auth
    • helm-gcs plugin with GCP auth
    Chart Repos
    Helm CLI
    Signed

    Chart Repo
    fetch
    HTTPS mTLS or basic auth

    View full-size slide

  77. @hayorov
    gRPC API
    Helm CLI Kubeconfig
    gRPC
    • Tiller supports TLS on gRPC
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Role
    RoleBinding
    Release
    configmap RBAC
    Tiller-deploy

    svc

    View full-size slide

  78. @hayorov
    gRPC API
    Helm CLI Kubeconfig
    gRPC
    • Tiller supports TLS on gRPC
    Tiller-deploy

    svc
    Tiller-deploy

    pod
    Service
    Account
    Role
    RoleBinding
    Release
    configmap RBAC
    TLS

    View full-size slide

  79. @hayorov
    Secured Helm
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release

    secret
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Release

    svc
    Release

    configmap
    fetch
    Kubeconfig
    HTTPS
    gRPC
    gRPC
    Service
    Account
    HTTPS TLS or basic auth
    mTLS RBAC
    mTLS
    Tiller-deploy

    pod

    View full-size slide

  80. @hayorov
    Secured Helm
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release

    secret
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Release

    svc
    Release

    configmap
    fetch
    Kubeconfig
    HTTPS
    gRPC
    gRPC
    Service
    Account
    HTTPS TLS or basic auth
    mTLS RBAC
    mTLS
    Tiller-deploy

    pod
    instruction at bit.ly/helm-secure

    View full-size slide

  81. @hayorov
    Secured Helm
    Helm CLI
    Chart Repo
    K8s cluster
    kube-system ns
    microservice ns
    Kube-api

    server
    Tiller-deploy

    svc
    Release

    secret
    Microservice

    pod
    release ns(s)
    Release

    deployment
    Release

    svc
    Release

    configmap
    fetch
    Kubeconfig
    HTTPS
    gRPC
    gRPC
    Service
    Account
    HTTPS TLS or basic auth
    mTLS RBAC
    mTLS
    Tiller-deploy

    pod

    View full-size slide

  82. @hayorov
    Bonus

    View full-size slide

  83. @hayorov
    Where to browse charts?
    github.com/helm/charts

    View full-size slide

  84. @hayorov
    Where to browse charts?
    github.com/helm/charts

    View full-size slide

  85. @hayorov
    Where to browse charts?
    github.com/helm/charts
    ~300 charts

    View full-size slide

  86. @hayorov
    Where to browse charts?
    github.com/helm/charts
    ~300 charts
    stable

    incubator

    View full-size slide

  87. @hayorov
    Where to browse charts?
    github.com/helm/charts
    ~300 charts
    stable

    incubator

    View full-size slide

  88. @hayorov
    Helm Hub

    View full-size slide

  89. @hayorov
    Helm Hub
    hub.helm.sh

    View full-size slide

  90. @hayorov
    Helm Hub
    629+ charts
    hub.helm.sh

    View full-size slide

  91. @hayorov
    Helm Hub
    629+ charts
    30+ external 

    repos
    hub.helm.sh

    View full-size slide

  92. @hayorov
    Helm Hub
    629+ charts
    30+ external 

    repos
    repo-values.yml
    hub.helm.sh

    View full-size slide

  93. @hayorov
    Helm Hub
    629+ charts
    30+ external 

    repos
    repo-values.yml
    hub.helm.sh

    View full-size slide

  94. @hayorov
    Open Service Broker API integration
    What are Service Brokers?

    View full-size slide

  95. @hayorov
    My Cluster
    Open Service Broker API integration
    What are Service Brokers?

    View full-size slide

  96. @hayorov
    My Cluster
    Open Service Broker API integration
    What are Service Brokers?

    View full-size slide

  97. @hayorov
    My Cluster
    Open Service Broker API integration
    What are Service Brokers?

    View full-size slide

  98. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?

    View full-size slide

  99. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?
    Managed MySQL

    View full-size slide

  100. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?
    Managed MySQL

    manually

    View full-size slide

  101. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?
    Managed MySQL

    View full-size slide

  102. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?
    Managed MySQL
    Service Broker

    View full-size slide

  103. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?
    Managed MySQL
    Service Broker OSBA

    View full-size slide

  104. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?
    Managed MySQL
    Tier: Basic
    Service Broker OSBA

    View full-size slide

  105. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?
    Managed MySQL
    Tier: Basic
    Service Broker OSBA
    DB credentials

    View full-size slide

  106. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?
    Managed MySQL
    Tier: Basic
    Service Broker OSBA
    DB credentials

    View full-size slide

  107. @hayorov
    My Cluster
    Cloud Provider
    Open Service Broker API integration
    What are Service Brokers?
    Managed MySQL
    Tier: Basic
    Service Broker OSBA
    DB credentials
    Helm glues Service Broker and charts that consume OSB resources

    View full-size slide

  108. @hayorov
    Repositories on GCS
    ChartMuseum de-facto is a standard
    helm-gcs is a plugin that allows to manage private repos on GCS
    Authentification using:
    • application default credentials
    • service account 

    (via the global flag)


    View full-size slide

  109. @hayorov
    Any alternatives?
    • Ksonnet, Metaparticle
    • Your configuration mngt system 

    (ansible, terraform, chef …)
    • Operator Framework (2k ⭐)
    Helm add-ons:
    • Draft, Scaffold
    Alternatives

    View full-size slide

  110. @hayorov
    Any alternatives?
    • Ksonnet, Metaparticle
    • Your configuration mngt system 

    (ansible, terraform, chef …)
    • Operator Framework (2k ⭐)
    Helm add-ons:
    • Draft, Scaffold
    Alternatives
    more
    control
    more k8s
    native

    View full-size slide

  111. @hayorov
    Any alternatives?
    • Ksonnet, Metaparticle
    • Your configuration mngt system 

    (ansible, terraform, chef …)
    • Operator Framework (2k ⭐)
    Helm add-ons:
    • Draft, Scaffold
    Alternatives
    more
    control
    more k8s
    native
    v2

    View full-size slide

  112. @hayorov
    Any alternatives?
    • Ksonnet, Metaparticle
    • Your configuration mngt system 

    (ansible, terraform, chef …)
    • Operator Framework (2k ⭐)
    Helm add-ons:
    • Draft, Scaffold
    Alternatives
    more
    control
    more k8s
    native
    v3
    v2

    View full-size slide

  113. @hayorov
    Any alternatives?
    • Ksonnet, Metaparticle
    • Your configuration mngt system 

    (ansible, terraform, chef …)
    • Operator Framework (2k ⭐)
    Helm add-ons:
    • Draft, Scaffold
    Alternatives
    more
    control
    more k8s
    native
    v3
    v2
    K
    Ksonnet,

    Metaparticle

    View full-size slide

  114. @hayorov
    Any alternatives?
    • Ksonnet, Metaparticle
    • Your configuration mngt system 

    (ansible, terraform, chef …)
    • Operator Framework (2k ⭐)
    Helm add-ons:
    • Draft, Scaffold
    Alternatives
    more
    control
    more k8s
    native
    v3
    Y Your Cfg

    management
    v2
    K
    Ksonnet,

    Metaparticle

    View full-size slide

  115. @hayorov
    Any alternatives?
    • Ksonnet, Metaparticle
    • Your configuration mngt system 

    (ansible, terraform, chef …)
    • Operator Framework (2k ⭐)
    Helm add-ons:
    • Draft, Scaffold
    Alternatives
    more
    control
    more k8s
    native
    v3
    Operator

    Framework
    Y Your Cfg

    management
    v2
    K
    Ksonnet,

    Metaparticle

    View full-size slide

  116. @hayorov
    Any alternatives?
    • Ksonnet, Metaparticle
    • Your configuration mngt system 

    (ansible, terraform, chef …)
    • Operator Framework (2k ⭐)
    Helm add-ons:
    • Draft, Scaffold
    Alternatives
    more
    control
    more k8s
    native
    v3
    Operator

    Framework
    Y Your Cfg

    management
    v2 A
    Draft,

    Skaffold
    K
    Ksonnet,

    Metaparticle

    View full-size slide

  117. @hayorov
    Helm 3 is the next big thing
    • Simplified client only architecture (no more Tiller)
    • State storage based of Release object (based on CRD)
    • Initial support for OCI repositories
    • (optional) Embedded Lua engine for scripting
    • Schematised values files (using JSONSchema)
    • Single event-driven model

    Current status: 3.0.0-alpha.1 released
    The future of Helm
    3

    View full-size slide

  118. Thank you
    questions…

    Alex Khaerov
    hayorov
    http://bit.ly/helm-sec-slides

    View full-size slide