4.3 KiB
Fairwinds Polaris
Fairwinds Polaris is a Kubernetes security audit tool that validates cluster configurations against best practices.
Features
- Dashboard for visualizing security audit results
- Checks for security, efficiency, and reliability issues
- Customizable security policies
- Support for exemptions
- Real-time cluster scanning
Prerequisites
- Kubernetes cluster (k3s)
- Helm 3
- kubectl configured
Installation
Install Fairwinds Polaris with interactive configuration:
just fairwinds-polaris::install
During installation, you will be prompted to:
-
Enable Ingress?
- Yes: Expose via Ingress (requires FQDN)
- No: Access via port-forward (recommended for development)
-
Enable OAuth2 Proxy authentication? (only if Ingress is enabled)
- Yes: Keycloak SSO authentication
- No: Public access without authentication
Access Options
Ingress (if enabled):
- Without OAuth2 Proxy: Direct access via
https://fairwinds-polaris.yourdomain.com - With OAuth2 Proxy: Keycloak authentication required via
https://fairwinds-polaris.yourdomain.com
Port-forward (without Ingress):
just fairwinds-polaris::port-forward
# Opens on http://localhost:8080
Usage
View Audit Results
Port-forward to dashboard:
just fairwinds-polaris::port-forward
Or fetch JSON results:
just fairwinds-polaris::audit
Upgrade
just fairwinds-polaris::upgrade
Uninstall
just fairwinds-polaris::uninstall
Configuration
Configuration is managed through values.gomplate.yaml.
Security Checks
Polaris performs the following security checks:
-
Security
hostIPCSet: dangerhostPIDSet: dangernotReadOnlyRootFilesystem: warningprivilegeEscalationAllowed: dangerrunAsRootAllowed: warningrunAsPrivileged: dangerinsecureCapabilities: warningdangerousCapabilities: danger
-
Efficiency
cpuRequestsMissing: warningcpuLimitsMissing: warningmemoryRequestsMissing: warningmemoryLimitsMissing: warning
-
Reliability
tagNotSpecified: dangerreadinessProbeMissing: warninglivenessProbeMissing: warningdeploymentMissingReplicas: ignore (disabled)
-
Network
hostNetworkSet: warninghostPortSet: warningmissingNetworkPolicy: warning
Exemptions
System components are pre-configured with exemptions:
- kube-system controllers
- Monitoring tools (Prometheus, Grafana)
- Networking components (Flannel, Calico)
Environment Variables
| Variable | Default | Description |
|---|---|---|
FAIRWINDS_POLARIS_NAMESPACE |
fairwinds-polaris |
Kubernetes namespace |
FAIRWINDS_POLARIS_CHART_VERSION |
5.19.0 |
Helm chart version |
FAIRWINDS_POLARIS_HOST |
- | FQDN for Ingress (when enabled) |
FAIRWINDS_POLARIS_INGRESS_ENABLED |
false |
Enable Ingress |
KEYCLOAK_REALM |
buunstack |
Keycloak realm |
KEYCLOAK_HOST |
- | Keycloak host |
Understanding Results
Polaris categorizes issues by severity:
- 🔴 Danger: Critical security issues
- 🟡 Warning: Important but not critical
- 🟢 Success: Passed all checks
Score Calculation
Each check has a severity level that contributes to the overall score:
- Danger: -10 points
- Warning: -1 point
- Success: +1 point
Best Practices
- Regular Scanning: Run Polaris regularly to catch configuration drift
- Address Dangers First: Focus on danger-level issues before warnings
- Review Exemptions: Periodically review exempted resources
- CI/CD Integration: Consider integrating Polaris into your deployment pipeline
Troubleshooting
Dashboard Not Accessible
Check if the service is running:
kubectl get pods -n polaris
kubectl get svc -n polaris
Port-forward Fails
Ensure the dashboard service is ready:
kubectl get svc polaris-dashboard -n polaris
Ingress Not Working
Check IngressRoute and OAuth2 Proxy:
kubectl get ingressroute -n polaris
kubectl get pods -n polaris | grep oauth2-proxy