Claude-skill-registry helm-chart-review

Conduct comprehensive Helm chart security and quality audits with automated checks for security contexts, resource limits, and production readiness. Use when reviewing pull requests with Helm chart changes, conducting pre-release chart audits, security scanning Helm manifests, validating chart structure and best practices, or preparing charts for production deployment.

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/helm-chart-review" ~/.claude/skills/majiayu000-claude-skill-registry-helm-chart-review && rm -rf "$T"

manifest: skills/data/helm-chart-review/SKILL.md

Helm Chart Review

Purpose

Provide comprehensive review checklists and automated validation for ensuring Helm charts meet production quality and security standards before deployment.

Complete Review Workflow

Step 1: Run Automated Validation

# Lint checks
helm lint ./charts/mychart

# Template rendering validation
helm template mychart ./charts/mychart --debug

# Test with different value files
helm template mychart ./charts/mychart -f values-prod.yaml

# Dry run installation
helm install test ./charts/mychart --dry-run --debug --namespace test

Step 2: Security Review Checklist

Critical security items (must pass):

No hardcoded secrets in values.yaml or templates
Image tags are specific (no
```
:latest
```
tag)

Security contexts are defined and restrictive:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

RBAC is properly configured with least privilege
Resource limits are set for all containers
Service accounts are explicitly created (not using default)
Secrets use external secret management (not inline)

Security red flags:

# ❌ NEVER allow these
securityContext:
  privileged: true # Unacceptable
  runAsUser: 0 # Root user - requires justification
  allowPrivilegeEscalation: true # Security risk

image:
  tag: latest # Non-deterministic

# Hardcoded secrets
password: "hardcoded123" # NEVER hardcode secrets

Step 3: Structure Review Checklist

Chart.yaml has all required fields:
- ```
apiVersion: v2
```
- ```
name
```
  ,
```
description
```
  ,
```
type
```
- ```
version
```
  (follows SemVer2)
- ```
appVersion
```
- ```
maintainers
```
  with contact info
Version follows SemVer2 format (MAJOR.MINOR.PATCH)
Dependencies use version ranges (~)
One resource per file in templates/
Template helpers are properly namespaced
File naming follows conventions (lowercase, dashes)
NOTES.txt provides useful post-install information
README.md exists with usage documentation

Step 4: Values Review Checklist

All values are documented with clear comments
Naming is consistent (camelCase throughout)
Types are explicit (strings quoted:
```
tag: "1.0"
```
)
Flat structure preferred over deep nesting
Defaults are secure and production-ready
Environment-specific values separated (values-{env}.yaml)
Boolean values use lowercase (
```
true
```
/
```
false
```
)
Resource requests/limits have realistic values

Good vs bad values:

# ✅ Good
replicaCount: 2 # Documented, reasonable default

image:
  repository: myapp
  pullPolicy: IfNotPresent
  tag: "" # Empty, uses appVersion

resources:
  limits:
    cpu: 500m
    memory: 256Mi
  requests:
    cpu: 250m
    memory: 128Mi

# ❌ Bad
replicas: 1 # Undocumented, single point of failure
ImageTag: latest # Wrong case, non-specific tag
database:
  password: "changeme" # Hardcoded secret

Step 5: Template Review Checklist

Labels are consistent and follow k8s recommendations:

```
app.kubernetes.io/name
```
```
app.kubernetes.io/instance
```
```
app.kubernetes.io/version
```
```
app.kubernetes.io/managed-by
```

Nil checks for nested values (prevent nil pointer errors)
Whitespace properly managed (
```
{{-
```
and
```
-}}
```
used correctly)
Helper functions used for repeated logic
Conditionals properly structured
Resources can be disabled via values
Image tags default to Chart.AppVersion
ConfigMap/Secret changes trigger pod restarts (checksum annotations)
Names truncated to 63 characters

Template quality patterns:

# ✅ Good
metadata:
  name: {{ include "mychart.fullname" . }}
  labels:
    {{- include "mychart.labels" . | nindent 4 }}
  annotations:
    checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}

{{- if .Values.ingress.enabled }}
# ... conditional resource
{{- end }}

image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"

# Safe nil handling
{{- with .Values.tolerations }}
tolerations:
  {{- toYaml . | nindent 8 }}
{{- end }}

# ❌ Bad
name: my-app-{{ .Release.Name }}       # Hardcoded
image: {{ .Values.image }}:latest      # Hardcoded latest
{{ .Values.nested.value }}             # No nil check

Step 6: Testing Review Checklist

helm lint passes without errors or warnings
helm template renders correctly
Dry run succeeds
Unit tests exist and pass (helm-unittest)
All conditional paths tested (enabled/disabled features)
Multiple environments tested (dev, staging, prod values)

Security Scanning Integration

Kubesec Analysis

# Scan rendered templates for security issues
helm template mychart ./charts/mychart | kubesec scan -

# Look for:
# - Missing security contexts
# - Privileged containers
# - Host path mounts
# - Host network usage

Trivy Image Scanning

# Extract images from chart
helm template mychart ./charts/mychart | grep "image:" | sort -u

# Scan each image for vulnerabilities
trivy image myapp:1.0.0

Common Review Findings and Fixes

Finding: Missing Resource Limits

# ❌ Problem
containers:
  - name: app
    image: myapp:1.0

# ✅ Solution
containers:
  - name: app
    image: myapp:1.0
    resources:
      limits:
        cpu: 500m
        memory: 256Mi
      requests:
        cpu: 250m
        memory: 128Mi

Finding: Insecure Security Context

# ❌ Problem
securityContext: {}

# ✅ Solution
securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 1000
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL

Finding: Latest Image Tag

# ❌ Problem
image: myapp:latest

# ✅ Solution
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"

Finding: No Liveness/Readiness Probes

# ❌ Problem
containers:
  - name: app
    image: myapp:1.0

# ✅ Solution
containers:
  - name: app
    image: myapp:1.0
    livenessProbe:
      httpGet:
        path: /healthz
        port: http
      initialDelaySeconds: 30
      periodSeconds: 10
    readinessProbe:
      httpGet:
        path: /ready
        port: http
      initialDelaySeconds: 5
      periodSeconds: 5

Review Severity Levels

BLOCKER (must fix before merge):

Hardcoded secrets
Missing security contexts
Privileged containers
No resource limits
Use of
```
:latest
```
tag

CRITICAL (must fix before production):

Missing liveness/readiness probes
Single replica without PDB
No pod disruption budget
Incorrect RBAC (too permissive)

MAJOR (should fix):

Undocumented values
Missing tests
Incomplete README
No CHANGELOG entry

MINOR (nice to have):

Improved comments
Additional examples
Optimization opportunities

Pre-Release Checklist

Before releasing chart:

CI/CD Quality Gates

Example pipeline checks:

# GitLab CI / GitHub Actions
helm-lint:
  stage: test
  script:
    - helm lint ./charts/*

helm-unittest:
  stage: test
  script:
    - helm unittest ./charts/*

helm-security-scan:
  stage: test
  script:
    - helm template ./charts/* | kubesec scan -
    - helm template ./charts/* | trivy config -

helm-dry-run:
  stage: test
  script:
    - helm install test ./charts/mychart --dry-run --debug

Documentation Review

README.md must include:

CHANGELOG.md must track:

Resources

Related Agent

For comprehensive Helm/Kubernetes guidance that coordinates this and other Helm skills, use the

helm-kubernetes-expert

agent.