Identifying Kubernetes misconfiguration can help you ensure your clusters are secure, efficient and reliable. Polaris, by Fairwinds, is an open source tool that our team created to help us managed hundreds of production workloads for our customers. It runs a variety of checks to ensure that Kubernetes pods and controllers are configured using Kubernetes best practices to help avoid workload configuration problems.
You can install Polaris in each cluster to identify misconfigurations. If you require multi-cluster visibility, we have an upgrade path to Fairwinds Insights that incorporates not just Polaris, but additional open source tools including:
Pluto (identify deprecated K8S resources)
Nova (finds outdated or deprecated Helm charts)
Trivy (vulnerability scanner for containers)
Goldilocks (suggests resource requests and limits)
This not only allows you to manage Kubernetes misconfiguration across multiple clusters, teams and environments, but it also identifies problems, alerts teams (via the dashboard or Slack integration) and suggests remediation.
KubeLinter is a new open source tool launched in late 2020. KubeLinter analyzes Kubernetes YAML files and Helm charts and checks them against various best practices, with a focus on production readiness and security.
If you are comparing Polaris vs. KubeLinter, here is a quick rundown of the checks you get with each. (Comparison as of 2/23/21)
|
Polaris |
KubeLinter |
Description |
|
Security |
||
|
Yes |
No |
securityContext.allowPrivilegeEscalation |
|
Yes |
No |
Missing TLS setting |
|
Yes |
No |
hostPort attribute configured |
|
Yes |
No |
PID attribute configured |
|
Yes |
No |
Host Network configured |
|
Yes |
No |
Host IPC configured |
|
Yes |
No |
|
|
Yes |
No |
Insecure capabilities included |
|
Yes |
Yes |
Containers not dropping NET_RAW capability |
|
Yes |
Yes |
Containers running as privileged |
|
Yes |
Yes |
Containers not running readOnlyRootFilesystem |
|
Yes |
Yes |
Containers set to runAsNonRoot |
|
No |
Yes |
Object using a secret in an environment variable |
|
No |
Yes |
Objects without an 'email' annotation with a valid email |
|
No |
Yes |
Missing 'owner' label |
|
No |
Yes |
Containers that mount a host path as writable |
|
No |
Yes |
Deployments exposing port 22, commonly reserved for SSH access |
|
No |
Yes |
Pods use default service account |
|
Efficiency |
||
|
Yes |
Yes |
Missing memory requests and limits |
|
Yes |
Yes |
Missing CPU request and limits |
|
Reliability |
||
|
Yes |
No |
Image tag not specified or latest |
|
Yes |
No |
Image pull policy is not set to always |
|
Yes |
No |
PriorityClassName is not set for pod |
|
Yes |
No |
Only one replica set for deployment |
|
Yes |
Yes |
Missing liveness probe |
|
Yes |
Yes |
Missing readiness probe |
|
No; Pluto handles |
Yes |
Objects using deprecated API versions under extensions v1beta |
|
No |
Yes |
Multiple replicas that don't specify inter pod anti-affinity to ensure that the orchestrator attempts to schedule replicas on different |
|
No |
Yes |
Pods referencing a service account that isn't found |
|
No |
Yes |
Selector doesn't match the pod template labels |
|
No |
Yes |
Services with no matching deployments |
|
No |
Yes |
Deployments use deprecated serviceAccount field |
