What is Polaris?
Polaris is an open-source project that looks for configuration issues in Kubernetes that can affect stability, reliability, scalability, and security. It was built by Fairwinds (formerly ReactiveOps).
Preventing common mistakes in cluster deployment
Creating a cluster is easy, but running it at scale with stability and security is hard. We have seen this often: a small mistake in deployment configuration can later result in bigger issues. Something like failing to configure resource requests can break auto scaling or even cause workloads to run out of resources. Polaris aims to catch and prevent such problems.
Polaris features
- Dashboard for auditing Kubernetes workload configurations
- CLI utility for auditing k8s yaml files
- Polaris webhook that prevents future deployments if they don't meet the configured standard
- Auditing more than just k8s resources, like container health checks, image tags, networking, security settings, etc
Polaris installation
The polaris dashboard can be installed using kubectl
, helm
or a local binary.
All methods will require you to have a cluster running, and the KUBECONFIG
environment variable set up. If you have not yet signed up to Civo, you can sign up to apply for our managed Kubernetes beta to try this out for yourself!
- kubectl
kubectl apply -f https://github.com/fairwindsops/polaris/releases/latest/download/dashboard.yaml
- helm
helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm upgrade --install polaris fairwinds-stable/polaris --namespace polaris
- binary : download the binary from release page
then use port-forward to access the dashboard:
kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
and visit http://localhost:8080/
to view the dashboard.
As shown in the dashboard, the polaris gives a grade and score to your Kubernetes cluster based on the configuration of your workloads. You can now work to improve the workload configuration to improve your cluster grade and score. This will help in making your cluster more secure, stable, scalable, and resilient.
The standards out of the box are meant to be industry-leading, but can be adjusted in the dashboard to match your preferences and requirements.
The dashboard also provides a high-level summary of checks for each category with some helpful information.
You can also see Kubernetes deployments with specific misconfigurations listed.
As shown in the image above, this nginx-deployment has a few misconfigurations. For example, the image tag is not specified, resources like cpu and memory are missing, health checks are not configured and so on. Let's try to fix a few of them.
Polaris also shows the meaning of each configuration and what config is missing with some reference links explaining the use and importance of each.
Now we can apply the new nginx-deployment where we have changed few things to fix few of the misconfigurations. The changes are summarized in the diff below:
17c17
- image: nginx:latest
---
+ image: nginx:1.18.0 # Changed image tag from latest to specific release
19a20,50
+ resources: # Added resource request and limits for cpu and memory
+ limits:
+ memory: "200Mi"
+ cpu: "0.5"
+ requests:
+ memory: "100Mi"
+ cpu: "0.2"
+ livenessProbe: # Added readiness and liveness probe
+ httpGet:
+ path: /
+ port: 80
+ httpHeaders:
+ initialDelaySeconds: 10
+ periodSeconds: 3
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 3
+ readinessProbe:
+ httpGet:
+ path: /
+ port: 80
+ initialDelaySeconds: 10
+ periodSeconds: 3
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 3
Now checking the nginx-deployment in Polaris dashboard, a few of the mis-configurations should have gone.
Fixing such mis-configuration for all workloads will improve the grade and score of your cluster that can be seen at the top of the Polaris dashboard. This will make your cluster more secure, stable, scalable, and resilient.
Polaris CLI
If you don't want to deploy Polaris in your Kubernetes cluster as an application running along with other workloads, you can make use of Polaris CLI. With the CLI tool you can audit the k8s yaml and also view the Polaris Dashboard locally, or configure it to run as part of your CI/CD run, as detailed below.
Polaris webhook
The Polaris webhook provides a way to enforce standards in all of your Kubernetes deployments. Once you have addressed all the misconfigurations identified in the Polaris dashboard, you can deploy the webhook to ensure that the configuration never slips below the configured standard. Once you deploy it in the cluster, the webhook will prevent any further Kubernetes deployment that doesn't meet the configuration standard.
Polaris in CI/CD pipelines
Polaris can be integrated in your CI/CD pipelines. You could set it to run on each deployment with something like the following added as a command in your pipeline, customized to your set requirements.
polaris audit --audit-path path/to/my/deployment/yaml --set-exit-code-on-error --set-exit-code-below-score 90
Wrapping up
In conclusion, Polaris helps organizations to identify and prevent configuration issues in Kubernetes that can affect stability, reliability, scalability, and security. By providing a dashboard for auditing Kubernetes workload configurations, CLI utility for auditing k8s yaml files, Polaris webhook that prevents future deployments if they don't meet the configured standard, and audits more than just k8s resources, like container health checks, image tags, networking, security settings, etc.
For more information on how you can use polaris, check out our YouTube channel where we explore Polaris, best-practiced and configuration.