talk-data.com

A practical workshop exploring threats, attack scenarios, and strategies for securing Helm charts using Cloudsmith's artifact management. Topics include verifying assets (public Helm charts, dependencies, and images), automating compliance with Trivy, and enforcing runtime OPA Gatekeeper policies to protect Kubernetes deployments. Learn to audit and manage Helm charts before distribution to prevent supply-chain attacks. Bonus: hands-on Instruqt lab analyzing insecure chart templates and demonstrating how to scan and validate Helm charts prior to production Kubernetes deployment.

This practical workshop explores common threats, attack scenarios, and proven strategies for securing Helm charts through Cloudsmith's artifact management, maintaining supply chain integrity and regulatory compliance. Topics include: verifying every asset (public Helm charts, dependencies, and images from popular OSS projects before deployment); automating compliance with Trivy and enforcing runtime OPA Gatekeeper security policies in real-time; preventing supply chain attacks by auditing and managing Helm charts before distributing through secure repositories; and acknowledging the manual overhead, as most charts are insecure-by-default and require further security checks by your team. Bonus: Hands-on Instruqt lab platform that analyzes actual insecure chart templates and demonstrates how to scan and detect vulnerabilities with open-source tools, implement security standards, and properly validate Helm charts prior to production Kubernetes deployment.

30-minute talk on the evolving threat landscape around Helm charts in public repositories. We’ll discuss real-world incidents such as the Codecov supply chain attack and hypothetical attack vectors like 'ChartSploit', highlighting how seemingly benign configurations can be exploited. Topics include anatomy of vulnerable charts, risk areas (RBAC misconfigurations, dependency vulnerabilities), and actionable strategies to secure Kubernetes environments—auditing deployments, verifying chart integrity, enforcing strict access controls, and adopting DevSecOps practices.

As Kubernetes adoption accelerates, Helm charts have become a de facto standard for deploying applications at scale. However, with this convenience comes significant security risks. Public Helm charts, often used without thorough inspection, can hold a wide variety of misconfigurations, insecure defaults, and vulnerable dependencies, providing attackers with opportunities for privilege escalation, data exfiltration, or even full-cluster compromise.

This webinar will explore the evolving threat landscape around Helm charts in public repositories. From real-world incidents, like the Codecov supply chain attack, to hypothetical attack vectors like "ChartSploit", we’ll highlight how seemingly benign configurations can be exploited. You'll gain insights into the anatomy of vulnerable charts, key risk areas such as RBAC misconfigurations and dependency vulnerabilities, and what recent CNCF data tells us about industry-wide exposure.

Most importantly, we’ll cover actionable strategies for securing your Kubernetes environments, such as:

• Auditing Helm deployments
• Verifying chart integrity
• Enforcing strict access controls
• Adopting DevSecOps practices that shift security left.

Whether you're a platform engineer, security analyst, or DevOps practitioner, this session will equip you with the knowledge and tools to identify and mitigate risks in your Helm chart ecosystem.

After a 30-minute talk there’ll be a 15-minute Q&A, for which we encourage you to submit questions in advance. A webinar recording and related materials will be shared with all attendees after the event.

Speaker: Nigel Douglas - Head of Developer Relations @ Cloudsmith Nigel champions Cloudsmith’s developer ecosystem by creating compelling educational content, engaging with developer communities, and promoting Cloudsmith as the go-to solution for artifact management and supply chain security. Nigel helps build and shape the DevOps community through events, tutorials, and innovative programs.