Purpose

Enforce Helm chart quality and security standards across the

helm-charts/

directory through automated checks.

What it checks (13 checks):

1. Image Tags (no latest, mutable tags) - HIGH
2. Security Context (runAsNonRoot, no privileged) - HIGH
3. Resource Limits (requests, limits, memory) - HIGH
4. RBAC Wildcards (no * permissions) - HIGH
5. Health Probes (liveness, readiness) - HIGH
6. Helm Lint (official helm validation) - HIGH
7. Chart Metadata (apiVersion, version, maintainers) - MEDIUM
8. Chart Structure (README, NOTES.txt, _helpers.tpl) - MEDIUM
9. Dependencies (pinned versions, Chart.lock) - MEDIUM
10. Deprecated APIs (no v1beta1, use stable APIs) - MEDIUM
11. Argo Rollouts (strategy, analysis, steps) - MEDIUM
12. Ingress TLS (certificates, annotations) - MEDIUM
13. GPU Resources (nvidia.com/gpu, tolerations) - LOW

Running Checks

Full audit (all checks):

node .claude/skills/helm-charts-audit/scripts/run_all_checks.mjs

Generate report (all checks + markdown report):

node .claude/skills/helm-charts-audit/scripts/generate_report.mjs

Report saved to:

reports/YYYY-MM-DD/helm-charts-audit.md

Individual checks:

node .claude/skills/helm-charts-audit/scripts/check_image_tags.mjs
node .claude/skills/helm-charts-audit/scripts/check_security_context.mjs
node .claude/skills/helm-charts-audit/scripts/check_resource_limits.mjs
node .claude/skills/helm-charts-audit/scripts/check_rbac_wildcards.mjs
node .claude/skills/helm-charts-audit/scripts/check_health_probes.mjs
node .claude/skills/helm-charts-audit/scripts/check_helm_lint.mjs
node .claude/skills/helm-charts-audit/scripts/check_chart_metadata.mjs
node .claude/skills/helm-charts-audit/scripts/check_chart_structure.mjs
node .claude/skills/helm-charts-audit/scripts/check_dependencies.mjs
node .claude/skills/helm-charts-audit/scripts/check_deprecated_apis.mjs
node .claude/skills/helm-charts-audit/scripts/check_argo_rollouts.mjs
node .claude/skills/helm-charts-audit/scripts/check_ingress_tls.mjs
node .claude/skills/helm-charts-audit/scripts/check_gpu_resources.mjs

Quality Rules

1. Image Tags (HIGH)

RULE: Never use mutable tags.

latest

tag = unpredictable deployments + rollback failures.

Violations:

• image: nginx:latest

  - mutable, changes without notice

• image: nginx

  - defaults to :latest

• tag: ""

  - empty tag in values.yaml

• tag: head

  ,

  tag: canary

  ,

  tag: dev

  - mutable branch tags

Fix: Use immutable tags like

v1.2.3

, SHA digests

sha256:abc123

, or SemVer

1.21.0

.

---

2. Security Context (HIGH)

RULE: Containers must run with minimal privileges. Privileged containers = cluster takeover risk.

Violations:

• privileged: true

  - full host access, container escape trivial

• runAsNonRoot: false

  - runs as root user UID 0

• runAsUser: 0

  - explicitly root

• allowPrivilegeEscalation: true

  - can gain more privileges

• hostNetwork: true

  - shares host network namespace

• hostPID: true

  - can see/kill host processes

• hostIPC: true

  - can access host shared memory

• readOnlyRootFilesystem: false

  - malware can write anywhere

• capabilities.add: [SYS_ADMIN]

  - near-root level access

• capabilities.add: [ALL]

  - equivalent to privileged

Fix: Add proper securityContext with

runAsNonRoot: true

,

allowPrivilegeEscalation: false

,

readOnlyRootFilesystem: true

,

capabilities.drop: [ALL]

.

---

3. Resource Limits (HIGH)

RULE: All containers must have resource requests and limits. No limits = node OOM + noisy neighbor issues.

Violations:

• resources: {}

  - empty resources block
• Missing

  requests.cpu

  - scheduler can't make decisions
• Missing

  requests.memory

  - OOM killer may terminate unexpectedly
• Missing

  limits.memory

  - container can consume all node memory

• requests > limits

  - invalid configuration

Fix: Define

resources.requests.cpu

,

resources.requests.memory

,

resources.limits.memory

. Note: CPU limits often intentionally omitted for better performance.

---

4. RBAC Wildcards (HIGH)

RULE: Follow least-privilege principle. Wildcard permissions = privilege escalation path.

Violations:

• verbs: ["*"]

  - grants all actions

• resources: ["*"]

  - access to all resource types

• apiGroups: ["*"]

  - access across all API groups

• roleRef.name: cluster-admin

  - full cluster access

• verbs: [impersonate]

  - can act as other users

• verbs: [escalate, bind]

  - can grant additional privileges
• Access to

  secrets

  resource - can read all secrets

Fix: Use explicit verbs like

[get, list, watch]

, explicit resources like

[pods, services]

, avoid cluster-admin bindings.

---

5. Health Probes (HIGH)

RULE: All workloads must have health probes. No probes = stuck containers not restarted + traffic to unready pods.

Violations:

• Deployment without

  livenessProbe

  - stuck containers won't restart
• Deployment without

  readinessProbe

  - traffic sent to unready pods

• initialDelaySeconds: 0

  - probes start immediately, false failures

• timeoutSeconds: 1

  - too short, may cause false failures

• successThreshold > 1

  on livenessProbe - should always be 1

• failureThreshold > 10

  - delays detecting actual failures

Fix: Add livenessProbe and readinessProbe with reasonable

initialDelaySeconds

(10-30s),

periodSeconds

(10s),

timeoutSeconds

(5s).

---

6. Helm Lint (HIGH)

RULE: Charts must pass official helm lint validation. Lint failures = deployment failures.

Violations:

• Template syntax errors
• Missing required fields in Chart.yaml
• Invalid YAML structure
• Broken template references

Fix: Run

helm lint <chart-path>

and fix reported issues.

---

7. Chart Metadata (MEDIUM)

RULE: Chart.yaml must have complete metadata. Missing metadata = maintenance nightmare.

Violations:

• apiVersion: v1

  - Helm 2 format, upgrade to v2
• Missing or invalid

  version

  - must be SemVer
• Missing

  appVersion

  - hard to track what's deployed
• Missing

  description

  - unclear what chart does
• Missing

  maintainers

  - no ownership

• name

  doesn't match directory name - confusing

Fix: Use

apiVersion: v2

, SemVer version, add description and maintainers with email.

---

8. Chart Structure (MEDIUM)

RULE: Follow standard Helm chart structure. Non-standard = user confusion + missing features.

Violations:

• Missing

  README.md

  - no documentation
• Missing

  templates/NOTES.txt

  - no post-install instructions
• Missing

  templates/_helpers.tpl

  - no template helpers
• Missing

  .helmignore

  - unnecessary files in package
• Missing

  values.schema.json

  - no values validation
• Empty

  templates/

  directory

Fix: Create missing files following Helm chart best practices.

---

9. Dependencies (MEDIUM)

RULE: Pin dependency versions. Floating versions = non-reproducible builds.

Violations:

• No

  version

  on dependency - unpinned

• version: "*"

  or

  version: "^1.0"

  - floating version
• Missing

  Chart.lock

  - dependency versions not locked

• repository: file://

  - local reference, breaks when published

• repository: http://

  - insecure, use HTTPS
• Deprecated repository URLs (charts.helm.sh/stable)

Fix: Pin exact versions, run

helm dependency update

to generate Chart.lock.

---

10. Deprecated APIs (MEDIUM)

RULE: Use stable Kubernetes APIs. Deprecated APIs = upgrade failures.

Violations:

• extensions/v1beta1

  - removed in K8s 1.22

• apps/v1beta1

  ,

  apps/v1beta2

  - removed in K8s 1.16

• networking.k8s.io/v1beta1

  Ingress - removed in K8s 1.22

• batch/v1beta1

  CronJob - removed in K8s 1.25

• policy/v1beta1

  PodSecurityPolicy - removed in K8s 1.25

Fix: Update to stable APIs:

apps/v1

,

networking.k8s.io/v1

,

batch/v1

. Run

kubectl convert

if needed.

---

11. Argo Rollouts (MEDIUM)

RULE: Rollouts must have valid strategy configuration. Invalid config = failed deployments.

Violations:

• Rollout without

  strategy

  - no deployment strategy
• Canary without

  steps

  - no gradual rollout
• Canary without

  analysis

  - no automated validation
• BlueGreen without

  activeService

  - no active service defined
• BlueGreen without

  previewService

  - can't preview before promotion
• Missing

  revisionHistoryLimit

  - old ReplicaSets accumulate
• Missing

  progressDeadlineSeconds

  - stuck rollouts don't timeout

Fix: Configure proper canary steps with analysis, or blueGreen with activeService/previewService.

---

12. Ingress TLS (MEDIUM)

RULE: Ingress must have TLS configuration. No TLS = unencrypted traffic.

Violations:

• Ingress with hosts but no TLS - traffic unencrypted
• TLS without

  secretName

  - certificate source unclear
• No

  ingressClassName

  - may use wrong controller
• Missing cert-manager annotations - no automated certificates
• Deprecated

  kubernetes.io/ingress.class

  annotation
• No SSL redirect annotation - HTTP doesn't redirect to HTTPS

Fix: Add TLS section with secretName, use

cert-manager.io/cluster-issuer

annotation for automated certs.

---

13. GPU Resources (LOW)

RULE: GPU workloads need proper configuration. Missing config = scheduling failures.

Violations:

• GPU limits without matching requests - should be equal
• No GPU toleration - won't schedule on GPU nodes
• No GPU nodeSelector/affinity - relies only on resource availability
• No runtimeClassName - may need nvidia runtime

Fix: Set

nvidia.com/gpu

in both requests and limits (equal values), add GPU tolerations and nodeSelector.

---

Detection Philosophy

This skill uses VALUE-BASED detection:

• Detects issues by actual values and patterns, not by variable/field names
• Future-proof: new charts with issues are automatically detected
• No need to update scripts when new charts are added

Parsing Strategy

• Chart.yaml, values.yaml: YAML content parsed via regex patterns
• templates/*.yaml: Regex-based parsing (Go template syntax breaks YAML parsers)
• Multi-document YAML: Handles

  ---

  separators

Safety

• Read-only operation (except report generation)
• No Helm releases modified
• No cluster changes