Helm Charts for Kubernetes Applications: Evolution, Outdatedness and Security Risks

Ahmed Zerouali; Ruben Opdebeeck; Coen De Roover

doi:10.1109/MSR59073.2023.00078

Helm Charts for Kubernetes Applications: Evolution, Outdatedness and Security Risks

Ahmed Zerouali, Ruben Opdebeeck, Coen De Roover

Research output: Chapter in Book/Report/Conference proceeding › Conference paper

15 Downloads (Pure)

Abstract

Using Kubernetes for the deployment, management and scaling of containerized applications has become a common practice. To facilitate the installation and management of these applications, practitioners can use the Helm package manager to assemble their configuration files into charts. The latter are reusable packages of pre-configured Kubernetes resources that can be deployed as a unit. In this paper, we aim to support chart developers and users by carrying out a comprehensive study on publicly available charts. For 9,482 charts that are distributed via the Artifact Hub repository, we mine and collect the list of their metadata, versions, dependencies, maintainers and container images. Then, we carry out an empirical analysis to assess the state and evolution of charts, as well as the outdatedness and security risks of their images. We found that the ecosystem forming around Helm charts is growing fast. However, most of the charts are not official with no popularity and no license. We also observed that charts tend to release multiple versions, but around half of them are still in the initial development phase. When looking at the container images used in charts, we found that around half of them are outdated and 88.1% of them are exposed to vulnerabilities, jeopardizing 93.7% of the charts.

Original language	English
Title of host publication	Proceedings of the 2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR 2023)
Publisher	IEEE
Number of pages	11
ISBN (Electronic)	979-8-3503-1184-6
DOIs	https://doi.org/10.1109/MSR59073.2023.00078
Publication status	Published - 15 May 2023
Event	20th International Conference on Mining Software Repositories - Melbourne Convention Exhibition Center, Melbourne, Australia Duration: 15 May 2023 → 16 May 2023 https://conf.researchr.org/home/msr-2023

Conference

Conference	20th International Conference on Mining Software Repositories
Abbreviated title	MSR 2023
Country	Australia
City	Melbourne
Period	15/05/23 → 16/05/23
Internet address	https://conf.researchr.org/home/msr-2023

Keywords

Kubernetes
Helm
Software Ecosystem
Infrastructure as code
Evolution
Security

Access to Document

10.1109/MSR59073.2023.00078

vub-soft-tr-23-08Accepted author manuscript, 262 KB

https://soft.vub.ac.be/Publications/2023/vub-tr-soft-23-08.pdf

FWOSB103: Pattern Mining and Static Analysis for Detecting Defects in Infrastructure as Code
Opdebeeck, R. & De Roover, C.
1/11/20 → 31/10/24
Project: Fundamental
VLAAI2: Subsidie Onderzoeksprogramma "Cybersecurity Initiative Flanders"
De Meuter, W., Devriese, D., Gonzalez Boix, E. & De Roover, C.
1/09/19 → 31/12/23
Project: Applied

Replication package for the Helm charts empirical study
Zerouali, A. (Creator), Opdebeeck, R. (Creator) & De Roover, C. (Creator), Zenodo, 19 Jan 2023
DOI: 10.5281/zenodo.7552697
Dataset

Helm Charts for Kubernetes Applications: Evolution, Outdatedness and Security Risks
Ruben Opdebeeck (Speaker)
16 May 2023
Activity: Talk or presentation › Talk or presentation at a conference

File

Cite this

@inproceedings{b95f2fc087534583a08cb90a37c4e725,

title = "Helm Charts for Kubernetes Applications: Evolution, Outdatedness and Security Risks",

abstract = "Using Kubernetes for the deployment, management and scaling of containerized applications has become a common practice. To facilitate the installation and management of these applications, practitioners can use the Helm package manager to assemble their configuration files into charts. The latter are reusable packages of pre-configured Kubernetes resources that can be deployed as a unit. In this paper, we aim to support chart developers and users by carrying out a comprehensive study on publicly available charts. For 9,482 charts that are distributed via the Artifact Hub repository, we mine and collect the list of their metadata, versions, dependencies, maintainers and container images. Then, we carry out an empirical analysis to assess the state and evolution of charts, as well as the outdatedness and security risks of their images. We found that the ecosystem forming around Helm charts is growing fast. However, most of the charts are not official with no popularity and no license. We also observed that charts tend to release multiple versions, but around half of them are still in the initial development phase. When looking at the container images used in charts, we found that around half of them are outdated and 88.1% of them are exposed to vulnerabilities, jeopardizing 93.7% of the charts.",

keywords = "Kubernetes, Helm, Software Ecosystem, Infrastructure as code, Evolution, Security",

author = "Ahmed Zerouali and Ruben Opdebeeck and {De Roover}, Coen",

year = "2023",

month = may,

day = "15",

doi = "10.1109/MSR59073.2023.00078",

language = "English",

booktitle = "Proceedings of the 2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR 2023)",

publisher = "IEEE",

note = "20th International Conference on Mining Software Repositories, MSR 2023 ; Conference date: 15-05-2023 Through 16-05-2023",

url = "https://conf.researchr.org/home/msr-2023",

}

Zerouali, A , Opdebeeck, R & De Roover, C 2023, Helm Charts for Kubernetes Applications: Evolution, Outdatedness and Security Risks. in Proceedings of the 2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR 2023). IEEE, 20th International Conference on Mining Software Repositories, Melbourne, Australia, 15/05/23. https://doi.org/10.1109/MSR59073.2023.00078

TY - GEN

T1 - Helm Charts for Kubernetes Applications: Evolution, Outdatedness and Security Risks

AU - Zerouali, Ahmed

AU - Opdebeeck, Ruben

AU - De Roover, Coen

PY - 2023/5/15

Y1 - 2023/5/15

N2 - Using Kubernetes for the deployment, management and scaling of containerized applications has become a common practice. To facilitate the installation and management of these applications, practitioners can use the Helm package manager to assemble their configuration files into charts. The latter are reusable packages of pre-configured Kubernetes resources that can be deployed as a unit. In this paper, we aim to support chart developers and users by carrying out a comprehensive study on publicly available charts. For 9,482 charts that are distributed via the Artifact Hub repository, we mine and collect the list of their metadata, versions, dependencies, maintainers and container images. Then, we carry out an empirical analysis to assess the state and evolution of charts, as well as the outdatedness and security risks of their images. We found that the ecosystem forming around Helm charts is growing fast. However, most of the charts are not official with no popularity and no license. We also observed that charts tend to release multiple versions, but around half of them are still in the initial development phase. When looking at the container images used in charts, we found that around half of them are outdated and 88.1% of them are exposed to vulnerabilities, jeopardizing 93.7% of the charts.

AB - Using Kubernetes for the deployment, management and scaling of containerized applications has become a common practice. To facilitate the installation and management of these applications, practitioners can use the Helm package manager to assemble their configuration files into charts. The latter are reusable packages of pre-configured Kubernetes resources that can be deployed as a unit. In this paper, we aim to support chart developers and users by carrying out a comprehensive study on publicly available charts. For 9,482 charts that are distributed via the Artifact Hub repository, we mine and collect the list of their metadata, versions, dependencies, maintainers and container images. Then, we carry out an empirical analysis to assess the state and evolution of charts, as well as the outdatedness and security risks of their images. We found that the ecosystem forming around Helm charts is growing fast. However, most of the charts are not official with no popularity and no license. We also observed that charts tend to release multiple versions, but around half of them are still in the initial development phase. When looking at the container images used in charts, we found that around half of them are outdated and 88.1% of them are exposed to vulnerabilities, jeopardizing 93.7% of the charts.

KW - Kubernetes

KW - Helm

KW - Software Ecosystem

KW - Infrastructure as code

KW - Evolution

KW - Security

U2 - 10.1109/MSR59073.2023.00078

DO - 10.1109/MSR59073.2023.00078

M3 - Conference paper

BT - Proceedings of the 2023 IEEE/ACM 20th International Conference on Mining Software Repositories (MSR 2023)

PB - IEEE

T2 - 20th International Conference on Mining Software Repositories

Y2 - 15 May 2023 through 16 May 2023

ER -

Helm Charts for Kubernetes Applications: Evolution, Outdatedness and Security Risks

Abstract

Conference

Keywords

Access to Document

Projects

FWOSB103: Pattern Mining and Static Analysis for Detecting Defects in Infrastructure as Code

VLAAI2: Subsidie Onderzoeksprogramma "Cybersecurity Initiative Flanders"

Datasets

Replication package for the Helm charts empirical study

Activities

Helm Charts for Kubernetes Applications: Evolution, Outdatedness and Security Risks

Cite this