Go to DBLP homepageAutomated Analysis of Security Policy Violations in Helm Charts
Abstract: The advent of Infrastructure-as-Code (IaC) and cloud platforms has transformed applications into ephemeral deployments of configuration files, where containers live for only a few minutes. Several industry-level static analyzers are available to check security misconfigurations before deployment, but the experimental evidence that we report in this paper is that they provide different and possibly inconsistent results. We developed an automated pipeline to evaluate and compare static analyzers for Helm charts, a popular package manager to deploy Kubernetes (K8s) applications, in finding a functional configuration adhering to the principle of least privilege. We evaluated seven open-source chart analyzer tools on the 60 most common Artifact Hub Helm charts (returned by the Application Programming Interface — API upon first invocation) and found that overly permissive ClusterRoles are the most common misconfiguration, and using a high user ID is the most commonly needed permission. During the evaluation, we also found several bugs, both false positives and negatives, that we reported to the tool developers. Securing cloud configurations still requires significant manual intervention, and more effort should be spent on standardizing the analysis of misconfiguration.
External IDs:dblp:journals/tdsc/MinnaBTM26
Loading