Open source software is core to Fairwinds, providing Kubernetes support to our customers and the larger community. We work hard to build open source projects that help our clients innovate and enable users to craft the right Kubernetes architecture and deployment.
Building an application often requires some tricky technical decisions. What do you build yourself vs. what do you rely on from third-parties? Before making these decisions, you need to ask yourself how open source can help your organization succeed—and if you are willing to invest the time it takes to work with open source code (check out our paper on the Hidden Cost of Open Source). With open source software comes some challenges, including setup, cost, maintenance, security and reliability. Even so, there is tons of support in the community to help practitioners achieve what they need without third-parties.
At Fairwinds, we labor to provide the type of open source code businesses need to build better products and services. A quick overview of our Kubernetes open source projects can give you an idea of the myriad ways our contributions are changing the face of modern software.
Polaris runs a variety of checks to ensure pods and controllers are configured using Kubernetes best practices. As one of our most popular open source projects, Polaris identifies errors in Kubernetes deployment configurations to help users find the misconfigurations causing security vulnerabilities, outages, scaling limitations and more. Polaris can be run in three different modes:
As a dashboard to audit what is running inside your cluster
As an admission controller to automatically reject workloads that don’t adhere to policy
As a command-line tool to test YAML files, for example as part of CI/CD process
One important goal with regards to Kubernetes security is the ability to ensure containers are running with minimal privileges, avoiding escalation, not running containers with a root user, and using read-only file systems wherever possible. Where configuration is available at both a pod and container level, Polaris can validate both, allowing you to avoid potential problems down the line while finding success with proven strategies.
Goldilocks is an open source tool for recommending resource requests that allows users to see suggestions on each application using the Kubernetes vertical-pod-autoscaler (VPA) in recommendation mode. Goldilocks creates a VPA for each deployment in a namespace and queries them for information, taking into account the current resource usage of your pods for better guidelines. Instead of running a horizontal pod autoscaler (that does not mesh well with the VPA), Goldilocks uses the VPA suggestions to provide reliable and actionable feedback.
The Goldilocks dashboard offers a visualization of the VPA recommendations, so you can visit a service in your cluster and see two types of suggestions, depending on what QoS class are needed for deployment. A QoS class refers to the different ways resource requests and limits can be set.
Pluto helps users easily find worn out Kubernetes API versions in their code repositories and Helm releases. As the Kubernetes ecosystem continues to evolve, so have the APIs, which means deprecations and removals are inevitable. If you have moved to Kubernetes 1.22 or OpenShift 4.9, you know this pain is real. If you are planning an upgrade, Pluto is the perfect open source utility to help you find deprecated or removed Kubernetes apiVersions. Once Pluto is integrated into your CI/CD pipeline, it scans resources against your target Kubernetes version.
A cluster upgrade can break the deployment process when several applications deploy to a Kubernetes cluster, potentially impacting hundreds of repositories. Pluto was designed to provide this critical information ahead of time, to ensure deployment processes can be addressed before the upgrade happens. As an open source tool, Pluto can be used to scan a variety of sources for outdated versions, including flat manifest files and clusters using Helm to deploy.
Reckoner is a command line tool for Helm that uses YAML syntax to install and manage multiple Helm charts in a single file, allowing installations of charts from a git commit, branch or release. The definition of charts you want to install using this open source tool is called the “course,” and it consists of settings that tell Reckoner how to use Helm to install your charts, in which namespaces and with what values. The course also outlines what remote chart repositories you can pull from, to be managed as you would any other infrastructure-as-code.
Nova is a command-line interface for cross checking the Helm charts running in your Kubernetes cluster with the latest possible versions. Keeping everything in your cloud native environment up to date is one of the most critical (and most difficult) tasks. Failing to upgrade after new releases can leave your organization open to security holes, buggy features and a potential breach.
The open source tool, Nova, helps you determine when it’s time to update by letting you know if a newer version is available. This feature makes it easy to see if you are behind on any installed Helm charts, saving users considerable time and resources. Instead of monitoring each individual chart for updates, operators can run a single command with Nova to detect old versions, ensuring YAML files are current and infrastructure-as-code stays in line with those standards.
Gemini was built on the Kubernetes-native VolumeSnapshot API to create a more robust and user-friendly interface for users. This open source tool allows for automated backups on a customizable, fine-grained schedule, deletes stale backups automatically, and restores data from specific backups.
Gemini helps users handle persistent storage in Kubernetes, thereby allowing developers to better manage volumes and backups in their cloud environment. Adding automation to Gemini means VolumeSnapshots are no longer done manually, which makes it easier for developers to ensure data is secure.
Saffire helps developers and engineering teams avoid single points of failure by pulling images from a variety of registries. This open source controller runs in a Kubernetes cluster and watches for pods that are experiencing issues pulling their underlying images. Saffire enables users to automatically switch between registries when an issue is detected with the primary registry, such as during an outage.
In today’s highly automated DevOps environment, engineers and development teams are constantly updating and deploying new versions of their software and applications. Pulling down container images from a registry is critical to the deployment process. If the registry is not available, the deployment breaks, causing an outage and a significant problem for both DevOps and the business. Saffire eliminates this problem.
Rok8s-scripts provides a framework for building GitOps workflows with Docker and Kubernetes. Adding this open source tool to your CI/CD pipeline allows users to build, push and deploy applications while using a set of tried and tested best practices. It can be used to verify deployment and database migrations, handle secrets and organize YAML files.
In addition to building Docker images and deploying them to Kubernetes, rok8s-scripts handles secure secrets management, environment-specific configuration, Docker build caching and much more. Rok8s-scripts is designed to work well with a variety of use cases and environments, offering many valid ways to configure CI pipelines.
RBAC Manager simplifies authorization in Kubernetes by supporting declarative configuration for RBAC with new custom resources. Instead of managing role bindings or service accounts directly, users can specify a desired state, and RBAC Manager will ensure the necessary changes happen to make it so. RBAC Manager offers a more approachable and scalable solution by reducing the amount of configuration work required for great authorization and enabling automation of RBAC configuration updates. This open source tool significantly cuts down the amount of time needed for configuration.
RBAC Lookup is a CLI that allows practitioners to readily find Kubernetes roles and cluster roles bound to a service account, group name or single user. “How much access does this user have to this cluster?” is now easier to answer. While RBAC Manager makes the process easier to manage, RBAC Lookup can provide visibility into Kubernetes authorization and assist adherence to the principle of least privilege in your cluster..
Fairwinds offers a platform of integrated, trusted open source tools to proactively monitor Kubernetes configurations and recommend improvements to avoid future problems. The goal of the Fairwinds open source community is to exchange ideas, influence the open source roadmap, and network with fellow Kubernetes users. To get involved, chat with us on Slack or join our open source user group!
Next open source meetup is on June 22, 2022 at 11am EDT | 8am PDT. Register now!