If you’ve been around GitHub land for any period of time, you’ll be familiar with a variety of badges on open source projects. The badges exist to demonstrate the third-party verification of the quality of some part of the repo. Ones that I see regularly include things like the “Go Report” badge or the CircleCI tests passing badge, they look something like this:
The presence of these badges give the user some confidence that the code in the repo is meeting an accepted standard. These badges matter to contributors, because it makes you feel confident that you’re shipping code you can be proud of. It may also matter to you as a user of an open source tool; it provides a degree of confidence that the tool has been vetted in some way and isn’t full of vulnerabilities, or at least you know that it is running or compatible with the latest version of something (what exactly it’s compatible with depends on the badge and the open source tool or project).
In this same vein, today we’re publicly announcing the availability of a Kubernetes Best Practices badge, which will be applied to projects containing code that is intended for deployment into a Kubernetes cluster. This may be relevant to one small piece of your open source project, or it may be relevant to the entire thing.
As an example, we have applied the badge to the relevant Kubernetes open source tools in the Fairwinds GitHub repo. It looks like this:
The tool doing this validation on the back end is Fairwinds Insights, our commercial tool for Kubernetes security and configuration validation. When someone clicks on that badge, it will bring them in to a Fairwinds dashboard that looks like this:
By applying the K8s Best Practices badge to your open source project, you’re demonstrating to your users that your project has passed best practice checks across a number of possible areas, from known Common Vulnerabilities and Exposures (CVEs) to common security misconfigurations. The vast majority of security issues are still the result of misconfiguration, and if your project is intended for deployment into a Kubernetes cluster, you can run these checks on it and improve it to the point where you can validate it with Insights and thereby provide peace of mind for your users.
While Fairwinds Insights is a commercial tool for scanning Kubernetes clusters and infrastructure-as-code, we are making it available for open source projects for free forever. We created this badge and the tools behind it because we are huge advocates of Kubernetes and the community of open source technologies that surround it. We built Fairwinds itself and Insights based on our experience managing thousands of clusters, creating a number of open source tools that are part of Insights. Polaris, for example, runs a variety of checks to ensure that pods and controllers are configured using Kubernetes best practices.
If you’d like to see how to get our badge, go take a look at our example on our Polaris project, set up the integration, and let us know you’re using it for an open source project. When we hear from you, we’ll make sure that your license will be free in perpetuity.