Back to all scenarios
Scenario #290
Security
Kubernetes v1.21, Helm v3.8

Privilege Escalation via Unchecked securityContext in Helm Chart

A third-party Helm chart allowed setting arbitrary securityContext, letting users run pods as root in production.

Find this helpful?
What Happened

A chart exposed securityContext overrides without constraints. A developer added runAsUser: 0during deployment, leading to root-level containers.

Diagnosis Steps
  • 1Inspected Helm chart values and rendered manifests.
  • 2Detected containers with runAsUser: 0.
  • 3Reviewed change logs in GitOps pipeline.
Root Cause

Chart did not validate or restrict securityContext fields.

Fix/Workaround
• Forked chart and restricted overrides via schema.
• Implemented OPA Gatekeeper to block root containers.
Lessons Learned

Helm charts can be as dangerous as code.

How to Avoid
  • 1Validate all chart values.
  • 2Use policy engines to restrict risky configurations.
Previous ScenarioNext Scenario