Polaris Points the Way to Kubernetes Best Practices

24 Jul 2019 9:29am, by

A new open source project from Fairwinds aims to save developers from themselves. Called Polaris, it conducts around 20 checks to ensure that deployments to Kubernetes are configured to best practices.

These can be things that are easily overlooked by development teams, but cause reliability and security issues down the line.

“A lot of DevOps teams spend their time documenting best practices and educating developers to follow best practices. It’s a time-intensive process. We’ve been doing that and creating some enforcement mechanisms so companies can identify risks to their deployments and prevent those deployments from entering production,” said Robert Brennan, director of open source at the company. (Not to be confused with Bob Brennan, chairman of its board.)

It bases its best practices on its years as a Kubernetes provider and those shared among the Kubernetes community.

Polaris offers two ways to run checks: through a dashboard or as a validating webhook.

The dashboard provides a score on a cluster’s health, with detailed reports for each individual workload, breaking out results by category, namespace, and deployment. Each check links to documentation and further resources on the topic. It also offers recommendations for improvement.

You can drill down into each category of checks. Under images, for instance, developers might leave blank the field specifying the image, and Kubernetes will always pull the latest version. That’s a good way to get code running in production that you didn’t plan to if you have an experimental bit of code running somewhere, said Joe Pelletier, Fairwinds vice president of strategy. This check makes sure every deployment uses a specific image tag.

You also can set resource requests and limits. “If you don’t set these things, it’s hard for Kubernetes to do its magic thing of scaling your deployment and figuring pit when it’s not behaving correctly and restart them automatically. Developers need to figure how much memory and CPU should be using and Polaris will send an alert if they don’t,” Pelletier said.

You also can drill into very specific deployments, such as a specific application that a particular team is responsible for.

The optional webhook can run the same validations and will reject any deployments that trigger a validation error. In a demo, Pelletier tried to escalate privileges, a potential security flaw, which the system rejected.

“If you say you never want a container to run a privileged, you can set that as a policy and none of your developers will be able to get around that,” he said.

“We see this as an experimental feature [the company calls it beta] because it’s standing in the way of you interacting with your cluster. We’re cautioning people against using this for production clusters.

“We don’t want to get too prescriptive about what you can and can’t do with your cluster. You might have an outage and you might need to push something quickly that breaks your Polaris configuration. So we want to battle test it a lot more before we put it into production. We want to find a balance between allowing users to do what they need to do to get their job done and allowing them to do things that will shoot themselves in the foot down the line,” he said.

Based on user feedback, the company built-in continuous integration/continuous delivery support for tools like Circle CI and Jenkins.

“Typically, the way we would expect folks to deploy to production is to not have their end developers interacting with the Kubernetes API. Only a DevOps engineer, someone who really understands Kubernetes would be interacting with the API itself using kubectl,” Pelletier said.

“What we’d expect your average developer to do is check in their configuration with a git repository, let a CI/CD process run, then if the tests all pass, ship that configuration off to production. … People wanted to be able to run against local files and have this command fail if an error pops up or their score drops below a certain threshold.”

Polaris competes with auditing tools like Sonobuoy and kubesec. The difference is that Polaris analyzes the deployment layer, which focuses on the configurations that developers are responsible for, while most audit tools focus on the overall cluster configuration and design, which typically affects DevOps and infrastructure engineers, according to the company.

Polaris also is totally configurable — you can decide which checks to apply and the level of severity you want for each one. Should a violation just warrant a warning or prevent deployment? You can set limits on available resources.

Polaris is available on GitHub or click on “validate your clusters” on the website.

New Direction

The company, formerly known as ReactiveOps, has been rebranded as Fairwinds after three Boston technology execs — former Veracode chairman and CEO Bob Brennan, former Black Duck Software chief technology officer Bill Ledingham, and Volition Capital founding partner Rob Ketterson — took over the company last year. Ledingham is now CEO.

The company is working to transition it from a services company to also being a solution provider to help customers move to cloud native technologies.

Its other open source tools include:

  • Reckoner, to install and manage multiple Helm chart releases.
  • RBAC Manager, designed to simplify authorization in Kubernetes.
  • rok8s Scripts, scripts for managing the application deployment lifecycle in Kubernetes.

Feature image: “IMG_2557.jpg” by N1tr0glyc3r1n. Licensed under CC BY-SA 2.0.