helm

A package manager for Kubernetes that packages applications into charts with templated manifests and configurable values; using Helm involves authoring charts, managing releases with helm install/upgrade/rollback, templating values.yaml, and hosting chart repositories for repeatable deployments.

helm

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

Visualizing Cloud-native Applications with KubeDiagrams

May 28, 2025
PM
Philippe Merle
🏛️ Univ. Lille | Inria | CNRS | Centrale Lille | École de technologie supérieure - ETS

In cloud-native systems, Kubernetes’ declarative configurations (YAML/Helm) impede architectural understanding, hindering developer and operator productivity. This paper introduces the first user-study-driven visualization framework that automatically and semantically faithfully maps raw Kubernetes resource specifications to interpretable architecture diagrams. Methodologically, it integrates a custom domain-specific language (DSL), the Kubernetes client API, and a graph-based encoding strategy to enable zero-intrusion integration and low-friction embedding into DevOps pipelines. Evaluated on three real-world systems, the tool accelerates architectural comprehension by 42% on average and improves modeling accuracy—reducing modeling errors by 68%. It has been adopted by the CNCF ecosystem as a recommended visualization tool. The core contributions are: (1) the first visualization generation paradigm explicitly designed for Kubernetes semantics; and (2) a solution that jointly ensures precision, scalability, and engineering practicality.

Automating diagram generation for DevOps workflowsImproving mental models for cloud-native system understandingVisualizing Kubernetes architecture from complex manifests

Configuration Defects in Kubernetes

Dec 04, 2025
YZ
Yue Zhang
🏛️ Auburn University | NC State University

Kubernetes configuration defects frequently cause severe runtime failures, yet existing static analysis tools exhibit limited detection capability. This paper presents an empirical study of 2,260 open-source Kubernetes configuration scripts, systematically identifying and classifying 15 common defect categories. Through combined qualitative analysis and static analysis, we uncover two critical defect patterns previously undetected by existing tools. Leveraging these insights, we design and implement a novel lightweight linter capable of precisely detecting all identified defect types. Evaluated on real-world projects, the tool discovers 26 previously unknown, manually verified defects—19 of which have since been fixed. Our contributions include: (1) a comprehensive, publicly available dataset of annotated configurations; (2) an open-source implementation of the linter; and (3) a reusable taxonomy and methodology for improving Kubernetes configuration reliability. All artifacts are openly released to support reproducible research and practical adoption.

Develops a new linter to detect serious defects missed by current toolsEvaluates existing static analysis tools for detecting these Kubernetes defectsIdentifies 15 categories of configuration defects in Kubernetes scripts

Using Containers to Speed Up Development, to Run Integration Tests and to Teach About Distributed Systems

Jul 28, 2025
MM
Marco Mambelli
🏛️ Fermi National Accelerator Laboratory

To address the challenges of difficult development and debugging, complex integration testing environments, and high pedagogical barriers in the GlideinWMS distributed system, this paper proposes the “Workspace Container” methodology—a unified, lightweight, containerized environment for development and education. Built upon a multi-container architecture—including Factory, Frontend, compute nodes, and batch systems—it integrates Docker and VS Code to enable one-click local deployment, offline debugging, and seamless IDE collaboration. The key contribution lies in abstracting development, testing, and teaching workflows into reusable, composable, standardized container units, thereby substantially reducing onboarding overhead for new users. Empirical validation across multiple workshops confirms that the full system runs efficiently on commodity laptops, accelerates development and debugging cycles, and significantly improves instructional interactivity and experimental reproducibility.

Enable hands-on experience with distributed systems in workshopsSimplify training and onboarding for new team membersSpeed up development and testing using container workspaces

This study addresses the significant inconsistencies among current Kubernetes security hardening guidelines and configuration scanning tools in terms of recommendation coverage and risk scoring, which hinder effective security configuration decisions. The authors systematically analyze eight widely adopted hardening guides to derive a unified benchmark of 79 configuration recommendations and conduct a structured empirical evaluation of ten static scanning tools. For the first time, they establish a standardized framework for assessing Kubernetes configuration security. Their findings reveal substantial discrepancies in both coverage and risk assessment across existing guidelines and tools, underscoring the urgent need for a transparent and consistent security evaluation methodology. This work provides the community with a reproducible benchmark and actionable criteria for tool selection and policy alignment.

compliance standardsconfiguration scannersKubernetes

The State of the SBOM Tool Ecosystems: A Comparative Analysis of SPDX and CycloneDX

Dec 25, 2025
AA
Abdul Ali Bangash
🏛️ Lahore University of Management Sciences | Queen’s University | Indian Institute of Technology Ropar | University of Waterloo

Despite growing adoption of Software Bill of Materials (SBOM), empirical comparisons across major SBOM standards—particularly SPDX and CycloneDX—remain scarce, hindering evidence-based standardization and tooling decisions. Method: This study conducts the first cross-format, multidimensional empirical evaluation of the SPDX and CycloneDX ecosystems, analyzing 170 tools, 36,990 open-source issue reports, and 250 health metrics from top-tier projects. It integrates open-source ecosystem measurement, issue-report mining, and health modeling—including contribution frequency, maintenance responsiveness, and integration coverage. Contribution/Results: CycloneDX exhibits 23% higher developer activity, whereas SPDX offers 1.8× more tools and significantly greater industrial adoption. Both formats suffer from shared limitations in automated SBOM generation, compliance validation, and cross-format interoperability. The study proposes a complementary evolutionary roadmap to guide SBOM standardization and practical engineering deployment, grounded in rigorous empirical evidence.

Analyzes 170 SBOM tools and 36,990 issue reports for challengesCompares SPDX and CycloneDX SBOM tool ecosystems' maturity and supportInvestigates ecosystem health in top open-source projects for enhancement insights

Latest Papers

What's happening recently
View more

Bridging the Gap Between Binary and Source Based Package Management in Spack

Sep 09, 2025
JG
John Gouwar
🏛️ Northeastern University | Lawrence Livermore National Laboratory

In HPC environments, binary package managers suffer from inflexible configuration due to strict ABI constraints, while source-based builds incur inefficiency from redundant compilation (e.g., when switching MPI implementations). Although Spack supports hybrid source/binary deployment, its lack of a formal binary compatibility model prevents safe reuse of binaries built across heterogeneous environments. This work introduces *splicing*, a novel Spack extension that establishes the first fine-grained ABI compatibility model. It integrates metadata annotation, enhanced dependency resolution, and runtime compatibility checking to enable secure cross-environment binary reuse. The approach seamlessly unifies the configurability of source builds with the efficiency of binary installation—reducing redundant compilations significantly, achieving near-binary installation speed, and incurring negligible overhead. As a result, splicing enhances both flexibility and scalability of HPC software distribution.

Binary and source package management have configurability trade-offsHPC installations require slow rebuilds for ABI-sensitive dependenciesSpack lacks binary compatibility model for mixing packages

This work addresses the challenges in edge and embedded application development—namely, heterogeneous software stacks, multi-language runtimes, and difficult debugging—which lead to rigid deployment workflows and complex fault diagnosis. To overcome these limitations, the paper proposes a novel architecture enabling unified end-edge-cloud development. Its core components include a single programming language, a retargetable runtime system, a local recording and replay mechanism for distributed events, and a cross-platform deployment framework. This design breaks down traditional debugging barriers in edge–cloud collaborative development, facilitating seamless scalability, consistent testing, and flexible deployment across heterogeneous environments. Evaluation of the prototype system demonstrates that the proposed approach significantly simplifies deployment procedures and enhances fault diagnosis efficiency.

cloud computingdistributed debuggingedge computing

GITER: A Git-Based Declarative Exchange Model Using Kubernetes-Style Custom Resources

Nov 06, 2025
CT
Christos Tranoris
🏛️ University of Patras

In cross-organizational, cross-domain, and offline distributed entity collaboration, existing API- and message-broker-based approaches struggle to simultaneously ensure auditability, loose coupling, and participant autonomy. Method: This paper proposes a GitOps-based coordination model that uses Git as a shared state repository, leverages Kubernetes-style Custom Resource Definitions (CRDs) with declarative spec/status fields to represent desired and observed states, and integrates cryptographic commit signing, fine-grained access control, and Operator-driven automated synchronization. Contribution/Results: The model extends GitOps beyond intra-cluster operations to inter-organizational coordination, natively supporting version traceability, operational auditing, and state reproducibility. Experiments demonstrate significant improvements over RESTful APIs and message middleware in transparency, auditability, offline fault tolerance, and operational observability—while preserving participant autonomy and system decoupling.

Ensures transparency and traceability using Git native featuresExtends GitOps to cross-domain and air-gapped collaboration scenariosReplaces traditional APIs with Git-based asynchronous communication

KubeGuard: LLM-Assisted Kubernetes Hardening via Configuration Files and Runtime Logs Analysis

Sep 04, 2025
OS
Omri Sgan Cohen
🏛️ Ben-Gurion University of The Negev

Overly permissive Kubernetes configurations—such as excessively broad RBAC permissions and overly open network policies—facilitate privilege escalation and lateral movement, yet existing approaches rely predominantly on static analysis, failing to capture dynamic runtime requirements. This paper introduces KubeGuard, the first runtime log-driven, LLM-augmented framework for minimal-privilege configuration optimization. KubeGuard employs a modular prompt chain to jointly analyze YAML manifests and cluster runtime logs, translating observed operational behavior into actionable, security-compliant configuration recommendations. It automatically generates and refines RBAC roles, network policies, and deployment resource constraints. Experimental evaluation demonstrates that KubeGuard significantly outperforms baseline methods in precision, recall, and F1-score, while supporting both proprietary and open-source LLMs. By grounding configuration hardening in actual runtime behavior, KubeGuard effectively bridges the gap between declarative security policies and operational reality.

Addresses Kubernetes security risks from misconfigured and overly permissive resourcesMitigates unauthorized access and privilege escalation threats in cloud-native environmentsTransforms runtime observability into actionable least-privilege configuration guidance

This work addresses the inefficiency and error-proneness of manually aggregating change descriptions and impact scopes in cloud-native CI/CD pipelines during multi-task, multi-author collaborative releases. To tackle this challenge, the authors propose a novel approach that integrates semantic commit filtering, large language model (LLM)-driven structured summarization, and static task dependency analysis—marking the first integration of LLMs with pipeline dependency analysis to automatically generate stakeholder-oriented, categorized change reports. The system has been implemented within GitHub Actions and Tekton and deployed in a production environment comprising over 20 pipelines and 60 tasks. Empirical results demonstrate significant improvements in the accuracy and timeliness of release communication, outperforming existing tools such as SmartNote and VerLog.

change summarizationCI/CD pipelinescloud-native

Hot Scholars

KM

Karol Miller

The University of Western Australia
engineeringmedicine
AW

Adam Wittek

Professor, Intelligent Systems for Medicine Laboratory, Department of Mechanical Engineering, School
Computational BiomechanicsComputational MechanicsInjury BiomechanicsSurgery Simulation