#kubernetes | #polaris

April 27, 2020 | 18:01

Setting Up Polaris on Kubernetes

This blog was originally featured as a guide in civo cloud community.

Polaris is an open-source project that looks for configuration issues in kubernetes that can affect stability, reliability, scalability, and security. It was built by Fairwinds (formerly ReactiveOps).

Problem

Creating cluster is easy, but running it at scale with stability and security is hard. We have seen this often: a small mistake in deployment configuration can later result in bigger issues. Something like failing to configure resource requests can break auto scaling or even cause workloads to run out of resources. Polaris aims to catch and prevent such problems.

Polaris Features

Dashboard for auditing Kubernetes workload configuration
Cli utility for auditing k8s yaml files
Polaris webhook that prevents future deployments if they don’t meet the configured standard
Auditing more than just k8s resources like container health checks, image tags, networking, security settings, etc

Installation

The polaris dashboard can be installed using kubectl, helm or local binary.

All methods will require you to have a cluster running, and the KUBECONFIG environment variable set up.

kubectl

kubectl apply -f https://github.com/fairwindsops/polaris/releases/latest/download/dashboard.yaml

helm

helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm upgrade --install polaris fairwinds-stable/polaris --namespace polaris

binary : download the binary from release page

then use port-forward to access the dashboard:

kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80

and visit http://localhost:8080/ to view the dashboard.

polaris1

As shown in the dashboard, the polaris gives a grade and score to your kubernetes cluster based on the configuration of your workloads. You can now work to improve the workload configuration to improve your cluster grade and score. This will help in making your cluster more secure, stable, scalable, and resilient.

The standards out of the box are meant to be industry-leading, but can be adjusted in the dashboard to match your preferences and requirements.

The dashboard also provides a high-level summary of checks for each category with some helpful information.

polaris2

You can also see kubernetes deployments with specific misconfigurations listed.

polaris3

As shown in the image above, this nginx-deployment have few misconfigurations. For example, the image tag is not specified, resources like cpu and memory are missing, health checks are not configured and so on. Let’s try to fix few of them.

Polaris also shows the meaning of each configuration and what config is missing with some reference links explaining the use and importance of each.

polaris4

polaris5

Now we can apply the new nginx-deployment where we have changed few things to fix few of the misconfigurations. The changes are summarised in the diff below:

17c17
-         image: nginx:latest
---
+         image: nginx:1.18.0                        # Changed image tag from latest to specific release
19a20,50
+         resources:                                 # Added resource request and limits for cpu and memory
+           limits:
+             memory: "200Mi"
+             cpu: "0.5"
+           requests:
+             memory: "100Mi"
+             cpu: "0.2"
+         livenessProbe:                             # Added readiness and liveness probe
+           httpGet:
+             path: /
+             port: 80
+             httpHeaders:
+           initialDelaySeconds: 10
+           periodSeconds: 3
+           timeoutSeconds: 1
+           successThreshold: 1
+           failureThreshold: 3
+         readinessProbe:
+           httpGet:
+             path: /
+             port: 80
+           initialDelaySeconds: 10
+           periodSeconds: 3
+           timeoutSeconds: 1
+           successThreshold: 1
+           failureThreshold: 3

Now checking the nginx-deployment in polaris dashboard, a few of the mis-configurations should have gone.

polaris6

Fixing such mis-configuration for all workloads will improve the grade and score of your cluster that can be seen at the top of the polaris dashboard. This will make your cluster more secure, stable, scalable, and resilient.

Polaris Cli

If you don’t want to deploy polaris in your kubernetes cluster as an another application running along with other workloads, you can make use of polaris cli. With the CLI tool you can audit the k8s yaml and also view the polaris dashboard locally, or configure it to run as part of your CI/CD run, as detailed below.

Polaris Webhook

The polaris webhook provides a way to enforce some standards in all of your kubernetes deployments. Once you have addressed all the misconfigurations identified in the polaris dashboard, you can deploy the webhook to ensure that the configuration never slips below the configured standard. Once you deploy it in the cluster, the webhook will prevent any further kubernetes deployment that doesn’t meet the configuration standard.

Polaris in CI/CD pipelines

Polaris can be integrated in your CI/CD pipelines. You could set it to run on each deployment with something like the following added as a command in your pipeline, customised to your set requirements.

polaris audit --audit-path path/to/my/deployment/yaml --set-exit-code-on-error --set-exit-code-below-score 90

For more information, check out the Polaris project on GitHub and this intro video for polaris.

Powered by Hugo & Kiss'Em.