Scalable Runtime Integrity Protection for Helm Based Applications on Kubernetes Cluster

Enterprises adopting cloud increasingly use container orchestration systems (e.g., Kubernetes) to manage applications and their configurations at scale. In Kubernetes environment, developers use package managers (e.g., Helm) for bundling, distributing, and deploying applications. These developments in cloud native applications have introduced new challenges. One of the challenges is protecting the integrity of application packages (e.g., Helm chart) deployed in a large-scale enterprise cluster. Existing tools for verifying integrity of Helm charts are limited to verify provenance and integrity of application packages. Therefore, in this work, we propose a mechanism to verify provenance and integrity of Helm charts at the cluster-side by addressing the granularity gap to verify each resource in a chart. We demonstrate how our approach successfully enforces integrity of Helm charts and evaluate the cost of integrity enforcement with a preliminary study.