helm-chart-quality-review

Helm Chart Quality Review

Purpose

This skill reviews Helm chart source for quality, security, and testability defects. It reads chart files statically — Chart.yaml, values.yaml, values.schema.json, templates/, tests/, and CI configuration — without installing the chart or contacting a Kubernetes cluster. The review surfaces defects that allow bad workloads to be deployed silently: insecure container security contexts, missing resource governance, absent health probes, RBAC over-permission, hardcoded or default credentials, and missing helm test coverage.

Lean operating rules

• Treat privileged: true, capabilities.add: [ALL] or any combination that grants root-equivalent privileges as CRITICAL — stop and flag before continuing.
• Treat hostNetwork: true, hostPID: true, or hostIPC: true as CRITICAL — these give a container visibility into the node's network stack, process table, or IPC namespace.
• Treat secrets rendered inline in a ConfigMap (not a Secret resource) as CRITICAL — plain-text secrets are visible to any workload that can read ConfigMaps in the namespace.
• Treat a ClusterRoleBinding to the default service account as CRITICAL — any workload in the namespace inherits cluster-scoped access.
• Treat capabilities.add: [SYS_ADMIN] or [NET_ADMIN] as CRITICAL — these grant near-root kernel capabilities.
• Treat hardcoded :latest image tags without override capability as HIGH — breaks reproducibility and makes rollback unreliable.
• Treat securityContext.runAsRoot: true or the absence of runAsNonRoot on pod or container spec as HIGH — workloads should not run as UID 0.
• Treat allowPrivilegeEscalation not explicitly set to false as HIGH — a child process can gain more privileges than the parent.
• Treat cluster-scoped RBAC roles where namespace-scoped would suffice as HIGH — blast radius of a compromise is the entire cluster.
• Treat serviceAccount.automountServiceAccountToken not set to false when the workload does not call the Kubernetes API as HIGH — the token is mounted unnecessarily and exploitable.
• Treat missing resources.requests and resources.limits on every container as HIGH — without limits, a misbehaving pod can trigger node over-subscription and OOM kills on neighbours.
• Treat missing livenessProbe or readinessProbe as HIGH — rolling updates proceed blind; a pod stuck in a failed state can be sent live traffic.
• Treat sensitive default credential values (admin, password, empty string) in values.yaml as CRITICAL — users forget to override defaults and ship them to production.
• Treat the absence of values.schema.json when required values carry no type or pattern constraint as MEDIUM — helm install accepts arbitrary input with no validation.
• Treat missing readOnlyRootFilesystem: true as MEDIUM — a container with a writable root filesystem can modify its own binaries or drop exploit payloads.
• Treat missing startupProbe for slow-starting containers as MEDIUM — liveness checks kill containers that need more startup time, causing crash loops.
• Treat no PodDisruptionBudget for stateful or singleton workloads as MEDIUM — node drains can take the workload to zero replicas.
• Treat no HorizontalPodAutoscaler where the workload is expected to scale as LOW.
• Treat probe timeouts or failure thresholds at defaults with no tuning rationale as LOW.
• Treat no NOTES.txt as LOW — users have no post-install guidance.
• Treat a chart version that is not semver-compliant as LOW.
• Treat tests/ that contain only pod-existence checks and no service reachability or functional assertion as LOW — existence proves the pod started, not that the service works.
• Treat no tests/ directory at all as MEDIUM — helm test integration is absent.
• Treat no CI integration for chart-testing (ct lint-and-install or equivalent) as MEDIUM — the chart is not regression-tested on install.
• Label every finding with its evidence basis: chart source provided, values only, documentation-based, or inference.
• Do not request kubeconfig, cluster credentials, cloud provider credentials, or live values files containing secrets. Ask for sanitized versions with placeholder values.
• Static review only — never install a chart, never contact a Kubernetes cluster, never run helm upgrade or kubectl apply.

References

Load these only when needed:

• Workflow and output contract — use when executing the full review or formatting the final answer.

Response minimum

Return, at minimum:

• Linting and template correctness findings
• Values hygiene findings (sensitive defaults, schema validation, :latest tags)
• Template security findings (securityContext, capabilities, host namespaces, secrets in ConfigMap)
• Resource governance findings (requests/limits, PDB, HPA)
• Health and observability findings (liveness, readiness, startup probes)
• Testability findings (helm test, chart-testing CI)
• RBAC and service account findings
• Severity-labelled finding list (CRITICAL / HIGH / MEDIUM / LOW)
• Safe next actions