Fairwinds | Blog

Practical Applications for Fairwinds Polaris' Automated Remediation

Written by Joe Pelletier | Jul 12, 2022 9:00:00 AM

The core of Fairwinds’ mission is to enable teams using Kubernetes to ship applications faster with less risk. Platform engineering leaders are at the forefront of this: their job is to empower downstream app teams with the right tools to be successful. However, to do this at scale – across multiple app teams and clusters, platform engineers must invest in automation and Kubernetes guardrails that deliver continuous feedback to DevOps engineers on the security, cost-effectiveness, and reliability of their configuration changes.

Polaris is one of those tools that platform engineering teams rely on for continuous feedback and guardrails. It currently operates in different modes:

  • As an in-cluster dashboard that highlights workload best practices or areas for improvement

  • As a validating admission controller that inspects requests and can determine if they should be deployed or not

  • As an infrastructure-as-code auditing tool for CI/CD platforms

We are excited to announce that we’ve added automated remediation to Polaris. More specifically, the Polaris admission controller now includes a mutating webhook, which can modify the request - such as adding, changing, or removing objects based on specific policy criteria. Learn how it works

Practical Use Cases for Mutating Admission Controllers

A mutating admission controller can be used to automatically apply best practices to every deployment, enabling teams to move faster. However, a drawback of mutating admission controllers is the potential for configuration drift, which is when the infrastructure-as-code in your git repo does not match the runtime state. Despite this, there are scenarios where this trade-off may be appropriate. Here are three examples of practical use cases for mutating admission controllers we’ve learned from working with the Polaris community:

  1. Guaranteeing Kubernetes best practices: For example, there may be scenarios where you want to ensure the image pull policy is set to ‘Always’. Today, Polaris can alert engineers at the pull request stage when they have neglected to set the correct image pull policy. However, a mutating admission controller can guarantee the desired image pull policy, even if the engineer neglects to make the change.

  2. Applying labels for cost allocation: mutating admission controllers can also make sure your cluster workloads are labeled correctly, without slowing down developers. For example, cost allocation solutions like Fairwind Insights report the cost of workloads by labels – so having the right labels applied is key to understanding Kubernetes costs by relevant business dimensions.

  3. Mitigating security threats: Today, Polaris will report on workloads that may be over-permissioned or running with insecure configurations. However, a mutation policy that automatically sets your workloads to run as a non-root user could help Platform and Security teams mitigate vulnerabilities like CVE-2021-25741.

One last thing…

Polaris has also made it possible to apply mutations to raw YAML files as well. This helps teams reduce configuration drift during the “coding” phase – by automatically generating Kubernetes YAML with specific best practices “baked in” from the start. Ultimately, solutions like this can help save organizations time and money – especially when deployed at scale with SaaS platforms like Fairwinds Insights.

Resources