Fairwinds | Blog

Polaris vs. KubeLinter

Written by Robert Brennan | Feb 25, 2021 7:55:50 PM

Identifying Kubernetes misconfiguration can help you ensure your clusters are secure, efficient and reliable.  Polaris, by Fairwinds, is an open source tool that our team created to help us managed hundreds of production workloads for our  customers. It runs a variety of checks to ensure that Kubernetes pods and controllers are configured using Kubernetes best practices to help avoid workload configuration problems. 

You can install Polaris in each cluster to identify misconfigurations. If you require multi-cluster visibility, we have an  upgrade path to Fairwinds Insights that incorporates not just Polaris, but additional open source tools including:

  • Pluto (identify deprecated K8S resources)

  • Nova (finds outdated or deprecated Helm charts)

  • Trivy (vulnerability scanner for containers)

  • Goldilocks (suggests resource requests and limits)

This not only allows you to manage Kubernetes misconfiguration across multiple clusters, teams and environments, but it also identifies problems, alerts teams (via the dashboard or Slack integration) and suggests remediation. 

KubeLinter is a new open source tool launched in late 2020. KubeLinter analyzes Kubernetes YAML files and Helm charts and checks them against various best practices, with a focus on production readiness and security.

If you are comparing Polaris vs. KubeLinter, here is a quick rundown of the checks you get with each. (Comparison as of 2/23/21)

Polaris

KubeLinter

Description

Security

   

Yes

No

securityContext.allowPrivilegeEscalation

Yes

No

Missing TLS setting

Yes

No

hostPort attribute configured

Yes

No

PID attribute configured

Yes

No

Host Network configured

Yes

No

Host IPC configured

Yes

No

Dangerous capabilities (read list here)

Yes

No

Insecure capabilities included

Yes

Yes

Containers not dropping NET_RAW capability

Yes

Yes

Containers running as privileged

Yes

Yes

Containers not running readOnlyRootFilesystem

Yes

Yes

Containers set to runAsNonRoot

No

Yes

Object using a secret in an environment variable

No

Yes

Objects without an 'email' annotation with a valid email

No

Yes

Missing 'owner' label

No

Yes

Containers that mount a host path as writable

No

Yes

Deployments exposing port 22, commonly reserved for SSH access

No

Yes

Pods use default service account

Efficiency

   

Yes

Yes

Missing memory requests and limits

Yes

Yes

Missing CPU request and limits

Reliability

   

Yes

No

Image tag not specified or latest

Yes

No

Image pull policy is not set to always

Yes

No

PriorityClassName is not set for pod

Yes

No

Only one replica set for deployment

Yes

Yes

Missing liveness probe

Yes

Yes

Missing readiness probe

No; Pluto handles

Yes

Objects using deprecated API versions under extensions v1beta

No

Yes

Multiple replicas that don't specify inter pod anti-affinity to ensure that the orchestrator attempts to schedule replicas on different

No

Yes

Pods referencing a service account that isn't found

No

Yes

Selector doesn't match the pod template labels

No

Yes

Services with no matching deployments

No

Yes

Deployments use deprecated serviceAccount field