feat(fairwinds-polaris): install Fairwinds Polaris
This commit is contained in:
Masaki Yatsu
188
fairwinds-polaris/README.md
Normal file
188
fairwinds-polaris/README.md
Normal file
@@ -0,0 +1,188 @@
|
||||
# Fairwinds Polaris
|
||||
|
||||
Fairwinds Polaris is a Kubernetes security audit tool that validates cluster configurations against best practices.
|
||||
|
||||
## Features
|
||||
|
||||
- Dashboard for visualizing security audit results
|
||||
- Checks for security, efficiency, and reliability issues
|
||||
- Customizable security policies
|
||||
- Support for exemptions
|
||||
- Real-time cluster scanning
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Kubernetes cluster (k3s)
|
||||
- Helm 3
|
||||
- kubectl configured
|
||||
|
||||
## Installation
|
||||
|
||||
Install Fairwinds Polaris with interactive configuration:
|
||||
|
||||
```bash
|
||||
just fairwinds-polaris::install
|
||||
```
|
||||
|
||||
During installation, you will be prompted to:
|
||||
|
||||
1. **Enable Ingress?**
|
||||
- Yes: Expose via Ingress (requires FQDN)
|
||||
- No: Access via port-forward (recommended for development)
|
||||
|
||||
2. **Enable OAuth2 Proxy authentication?** (only if Ingress is enabled)
|
||||
- Yes: Keycloak SSO authentication
|
||||
- No: Public access without authentication
|
||||
|
||||
### Access Options
|
||||
|
||||
**Ingress (if enabled):**
|
||||
|
||||
- Without OAuth2 Proxy: Direct access via `https://fairwinds-polaris.yourdomain.com`
|
||||
- With OAuth2 Proxy: Keycloak authentication required via `https://fairwinds-polaris.yourdomain.com`
|
||||
|
||||
**Port-forward (without Ingress):**
|
||||
|
||||
```bash
|
||||
just fairwinds-polaris::port-forward
|
||||
# Opens on http://localhost:8080
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
### View Audit Results
|
||||
|
||||
Port-forward to dashboard:
|
||||
|
||||
```bash
|
||||
just fairwinds-polaris::port-forward
|
||||
```
|
||||
|
||||
Or fetch JSON results:
|
||||
|
||||
```bash
|
||||
just fairwinds-polaris::audit
|
||||
```
|
||||
|
||||
### Upgrade
|
||||
|
||||
```bash
|
||||
just fairwinds-polaris::upgrade
|
||||
```
|
||||
|
||||
### Uninstall
|
||||
|
||||
```bash
|
||||
just fairwinds-polaris::uninstall
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
Configuration is managed through `values.gomplate.yaml`.
|
||||
|
||||
### Security Checks
|
||||
|
||||
Polaris performs the following security checks:
|
||||
|
||||
- **Security**
|
||||
- `hostIPCSet`: danger
|
||||
- `hostPIDSet`: danger
|
||||
- `notReadOnlyRootFilesystem`: warning
|
||||
- `privilegeEscalationAllowed`: danger
|
||||
- `runAsRootAllowed`: warning
|
||||
- `runAsPrivileged`: danger
|
||||
- `insecureCapabilities`: warning
|
||||
- `dangerousCapabilities`: danger
|
||||
|
||||
- **Efficiency**
|
||||
- `cpuRequestsMissing`: warning
|
||||
- `cpuLimitsMissing`: warning
|
||||
- `memoryRequestsMissing`: warning
|
||||
- `memoryLimitsMissing`: warning
|
||||
|
||||
- **Reliability**
|
||||
- `tagNotSpecified`: danger
|
||||
- `readinessProbeMissing`: warning
|
||||
- `livenessProbeMissing`: warning
|
||||
- `deploymentMissingReplicas`: ignore (disabled)
|
||||
|
||||
- **Network**
|
||||
- `hostNetworkSet`: warning
|
||||
- `hostPortSet`: warning
|
||||
- `missingNetworkPolicy`: warning
|
||||
|
||||
### Exemptions
|
||||
|
||||
System components are pre-configured with exemptions:
|
||||
|
||||
- kube-system controllers
|
||||
- Monitoring tools (Prometheus, Grafana)
|
||||
- Networking components (Flannel, Calico)
|
||||
|
||||
## Environment Variables
|
||||
|
||||
| Variable | Default | Description |
|
||||
|----------|---------|-------------|
|
||||
| `FAIRWINDS_POLARIS_NAMESPACE` | `fairwinds-polaris` | Kubernetes namespace |
|
||||
| `FAIRWINDS_POLARIS_CHART_VERSION` | `5.19.0` | Helm chart version |
|
||||
| `FAIRWINDS_POLARIS_HOST` | - | FQDN for Ingress (when enabled) |
|
||||
| `FAIRWINDS_POLARIS_INGRESS_ENABLED` | `false` | Enable Ingress |
|
||||
| `KEYCLOAK_REALM` | `buunstack` | Keycloak realm |
|
||||
| `KEYCLOAK_HOST` | - | Keycloak host |
|
||||
|
||||
## Understanding Results
|
||||
|
||||
Polaris categorizes issues by severity:
|
||||
|
||||
- 🔴 **Danger**: Critical security issues
|
||||
- 🟡 **Warning**: Important but not critical
|
||||
- 🟢 **Success**: Passed all checks
|
||||
|
||||
### Score Calculation
|
||||
|
||||
Each check has a severity level that contributes to the overall score:
|
||||
|
||||
- Danger: -10 points
|
||||
- Warning: -1 point
|
||||
- Success: +1 point
|
||||
|
||||
## Best Practices
|
||||
|
||||
1. **Regular Scanning**: Run Polaris regularly to catch configuration drift
|
||||
2. **Address Dangers First**: Focus on danger-level issues before warnings
|
||||
3. **Review Exemptions**: Periodically review exempted resources
|
||||
4. **CI/CD Integration**: Consider integrating Polaris into your deployment pipeline
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Dashboard Not Accessible
|
||||
|
||||
Check if the service is running:
|
||||
|
||||
```bash
|
||||
kubectl get pods -n polaris
|
||||
kubectl get svc -n polaris
|
||||
```
|
||||
|
||||
### Port-forward Fails
|
||||
|
||||
Ensure the dashboard service is ready:
|
||||
|
||||
```bash
|
||||
kubectl get svc polaris-dashboard -n polaris
|
||||
```
|
||||
|
||||
### Ingress Not Working
|
||||
|
||||
Check IngressRoute and OAuth2 Proxy:
|
||||
|
||||
```bash
|
||||
kubectl get ingressroute -n polaris
|
||||
kubectl get pods -n polaris | grep oauth2-proxy
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
- [Polaris Documentation](https://polaris.docs.fairwinds.com/)
|
||||
- [GitHub Repository](https://github.com/FairwindsOps/polaris)
|
||||
- [Helm Chart](https://github.com/FairwindsOps/charts/tree/master/stable/polaris)
|
||||
Reference in New Issue
Block a user