Polaris
Polaris by Fairwinds is an open-source project that identifies Kubernetes deployment configuration errors. Polaris runs over a dozen different checks to help users discover Kubernetes misconfigurations that frequently cause security vulnerabilities, outages, scaling limitations, and more. Using Polaris, you can avoid problems and ensure you’re using Kubernetes best practices.
See DKP Insights Release Notes if you wish to know which Polaris version is included in this release.
Enable or Disable Polaris Insights
Edit the Service configuration with the following values:
polaris:
enabled: true
To modify an existing installation:
Select Workspace, Applications, DKP-Insights, and then Edit to modify an installation.
Frequency of Polaris Audit Scans
Polaris Audits run by default every 37 minutes and uses Cron syntax. You can change the default by editing the Service configuration with the following values:
polaris:
schedule: "@every 37m"
To modify an existing installation:
Select Workspace, Applications, DKP-Insights, and then Edit to modify an installation.
Modifying Severities of Polaris Insights
Polaris Audit specifies a default severity to each of these types:
You can change these defaults by modifying the Service configuration with the following values:
polaris:
config:
# See https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml
checks:
# reliability
deploymentMissingReplicas: warning
priorityClassNotSet: ignore
tagNotSpecified: danger
pullPolicyNotAlways: warning
readinessProbeMissing: warning
livenessProbeMissing: warning
metadataAndNameMismatched: ignore
pdbDisruptionsIsZero: warning
missingPodDisruptionBudget: ignore
# efficiency
cpuRequestsMissing: warning
cpuLimitsMissing: warning
memoryRequestsMissing: warning
memoryLimitsMissing: warning
# security
hostIPCSet: danger
hostPIDSet: danger
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
runAsRootAllowed: danger
runAsPrivileged: danger
dangerousCapabilities: danger
insecureCapabilities: warning
hostNetworkSet: danger
hostPortSet: warning
tlsSettingsMissing: warning
To modify an existing installation:
Select Workspace, Applications, DKP-Insights, and then Edit to modify an installation.
When you mark a Polaris Audit Insight alert as Not-Useful, newly generated alerts are set to the lowest severity of Notice.
Add Exemptions to Polaris Insights
You can exclude a particular workload from a Polaris Audit, via its Exemptions. This example shows how to exempt the workload dummy-deployment, which currently has an issue where its CPU Limits are Missing. Change the exceptions list by modifying the Service configuration with the following values:
polaris:
config:
exemptions:
- controllerNames:
- dummy-deployment
rules:
- cpuLimitsMissing
To modify an existing installation:
Select Workspace, Applications, DKP-Insights, and then Edit to modify an installation.