Polaris is an open-source project that looks for configuration issues in Kubernetes that can affect stability, reliability, scalability, and security. It was built by Fairwinds (formerly ReactiveOps).
Creating a cluster is easy, but running it at scale with stability and security is hard. We have seen this often: a small mistake in deployment configuration can later result in bigger issues. Something like failing to configure resource requests can break auto scaling or even cause workloads to run out of resources. Polaris aims to catch and prevent such problems.
- Dashboard for auditing Kubernetes workload configurations
- CLI utility for auditing k8s yaml files
- Polaris webhook that prevents future deployments if they don't meet the configured standard
- Auditing more than just k8s resources, like container health checks, image tags, networking, security settings, etc
The polaris dashboard can be installed using
helm or a local binary.
All methods will require you to have a cluster running, and the the
KUBECONFIG environment variable set up. If you have not yet signed up to Civo, you can sign up to apply for our managed Kubernetes beta to try this out for yourself!
kubectl apply -f https://github.com/fairwindsops/polaris/releases/latest/download/dashboard.yaml
helm repo add fairwinds-stable https://charts.fairwinds.com/stable helm upgrade --install polaris fairwinds-stable/polaris --namespace polaris
- binary : download the binary from release page
then use port-forward to access the dashboard:
kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
http://localhost:8080/ to view the dashboard.
As shown in the dashboard, the polaris gives a grade and score to your Kubernetes cluster based on the configuration of your workloads. You can now work to improve the workload configuration to improve your cluster grade and score. This will help in making your cluster more secure, stable, scalable, and resilient.
The standards out of the box are meant to be industry-leading, but can be adjusted in the dashboard to match your preferences and requirements.
The dashboard also provides a high-level summary of checks for each category with some helpful information.
You can also see Kubernetes deployments with specific misconfigurations listed.
As shown in the image above, this nginx-deployment has a few misconfigurations. For example, the image tag is not specified, resources like cpu and memory are missing, health checks are not configured and so on. Let's try to fix a few of them.
Polaris also shows the meaning of each configuration and what config is missing with some reference links explaining the use and importance of each.
Now we can apply the new nginx-deployment where we have changed few things to fix few of the misconfigurations. The changes are summarised in the diff below:
17c17 - image: nginx:latest --- + image: nginx:1.18.0 # Changed image tag from latest to specific release 19a20,50 + resources: # Added resource request and limits for cpu and memory + limits: + memory: "200Mi" + cpu: "0.5" + requests: + memory: "100Mi" + cpu: "0.2" + livenessProbe: # Added readiness and liveness probe + httpGet: + path: / + port: 80 + httpHeaders: + initialDelaySeconds: 10 + periodSeconds: 3 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: / + port: 80 + initialDelaySeconds: 10 + periodSeconds: 3 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3
Now checking the nginx-deployment in Polaris dashboard, a few of the mis-configurations should have gone.
Fixing such mis-configuration for all workloads will improve the grade and score of your cluster that can be seen at the top of the Polaris dashboard. This will make your cluster more secure, stable, scalable, and resilient.
If you don't want to deploy Polaris in your Kubernetes cluster as an application running along with other workloads, you can make use of Polaris CLI. With the CLI tool you can audit the k8s yaml and also view the Polaris Dashboard locally, or configure it to run as part of your CI/CD run, as detailed below.
The Polaris webhook provides a way to enforce standards in all of your Kubernetes deployments. Once you have addressed all the misconfigurations identified in the Polaris dashboard, you can deploy the webhook to ensure that the configuration never slips below the configured standard. Once you deploy it in the cluster, the webhook will prevent any further Kubernetes deployment that doesn't meet the configuration standard.
Polaris in CI/CD pipelines
Polaris can be integrated in your CI/CD pipelines. You could set it to run on each deployment with something like the following added as a command in your pipeline, customised to your set requirements.
polaris audit --audit-path path/to/my/deployment/yaml --set-exit-code-on-error --set-exit-code-below-score 90