Last updated: April 2026
Overview
CleanStart automatically generates production-ready Helm charts during image builds. Every chart includes hardened security contexts, auto-detected workload types, and all the Kubernetes resources needed for deployment. You can also use CleanStart images as drop-in replacements within existing Bitnami Helm charts via values overlays.
Generating a Helm Chart
Add the --generate-helm flag when building an image:
cleanimg build redis.cleanimg.yaml \ --generate-helm \ -o output/This produces a complete chart at output/redis/helm/redis/ containing:
redis/ Chart.yaml # Metadata, version, maintainer values.yaml # Parameterized defaults .helmignore # Artifact exclusions NOTES.txt # Post-install instructions templates/ _helpers.tpl # Template helper functions workload.yaml # Deployment or StatefulSet service.yaml # ClusterIP service headless-service.yaml serviceaccount.yaml networkpolicy.yaml hpa.yaml # Horizontal pod autoscaler pdb.yaml # Pod disruption budget ingress.yamlYou can also generate raw Kubernetes manifests (without Helm templating) using --generate-k8s.
Deploying a Generated Chart
helm install redis output/redis/helm/redis/ \ --set image.repository=gcr.io/clean-image-build/redis \ --set image.tag=8.2.2-r0 \ --set replicaCount=3Common values.yaml Overrides
image: repository: gcr.io/clean-image-build/redis tag: "8.2.2-r0" pullPolicy: IfNotPresent replicaCount: 3 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi persistence: enabled: true size: 10GiWorkload Type Auto-Detection
The chart generator automatically chooses between a Deployment and a StatefulSet based on the image's filesystem analysis. If the spec declares writable paths under known persistence directories (/data, /db, /pgdata, /mysql, /postgres, /mongodb, /kafka, /redis), a StatefulSet with PersistentVolumeClaims is generated. Otherwise, a stateless Deployment is used.
You can override this by setting kubernetes.workload_type in your spec file.
Security Defaults
Every generated chart enforces CleanStart security hardening:
# Pod-levelsecurityContext: runAsUser: 65532 runAsGroup: 65532 fsGroup: 65532 runAsNonRoot: true shareProcessNamespace: true # Enables kubectl debug # Container-levelsecurityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"]Writable paths declared in the image spec are automatically mounted as emptyDir volumes with appropriate size limits.
Using CleanStart Images with Bitnami Charts
If you already use Bitnami Helm charts, you can swap in CleanStart images without rewriting the chart. CleanStart provides values overlay files for common applications:
helm install mongodb bitnami/mongodb \ -f your-values.yaml \ -f mongodb-clnstrt-values.yamlThis overrides the image source, converts exec-based probes to TCP/HTTP socket probes (required for distroless images), and applies CleanStart security context defaults.
Generate an overlay for any Bitnami chart with:
cleanimg build <spec>.cleanimg.yaml --generate-bitnami-valuesSee Bitnami Migration Guide for details.
Chart Validation
Validate generated charts before deploying:
helm lint output/redis/helm/redis/helm template output/redis/helm/redis/ | kubectl apply --dry-run=client -f -CleanStart also includes a validation script that runs both lint and template dry-run:
./pipeline/scripts/validate-k8s-helm.sh output/redis/helm/redis/Annotations and Metadata
Generated charts include CleanStart metadata as annotations on workloads:
Annotation | Description |
|---|---|
| Build profile (production, development, debug) |
| Source commit SHA |
| Build timestamp |
| Read-only root filesystem status |
CPE (Common Platform Enumeration) metadata is also embedded for vulnerability correlation.