K8s Tutorial: Using the Policy Engine, Polaris, to Automate Patches


In a previous blog post, we showed you how to install the policy engine, Polaris, and audit your Kubernetes workloads using the dashboard, an admission controller, and the CLI tool. In this tutorial, we go beyond just visualizing your Kubernetes efficiency, reliability, and security issues, and show you how to use Polaris to automate the fixes it finds.

Update your infrastructure as code with the Polaris CLI tool

Polaris can do more than just audit files from the command line. By using the polaris fix command, it can automatically review the YAML manifest of any issues it finds. For example, to troubleshoot any issues in the deployment directory, run:

polaris fix --files-path ./deploy/ --checks=all

Polaris may leave comments next to certain changes (e.g. liveness and readiness probes) prompting the user to set them to something more appropriate given the context of their application.

Not all problems can be solved automatically. Currently, only raw YAML manifests can be mutated. Helm cards still need to be edited manually (feature updates are coming soon on this front!).

Changing Webhook

By default, the Polaris commit webhook will block or allow a deployment, but you can configure Polaris to work as a mutating webhook that will automatically modify a deployment when a problem is detected, instead of terminating the operation.

For instructions on using Helm to install the validation webhook, see the Polaris documentation.

To enable the mutation webhook, you’ll set the webhook.mutate true flag. The full command is this:

helm upgrade --install polaris fairwinds-stable/polaris --namespace demo --create-namespace --set webhook.enable=true --set webhook.mutate=true --set dashboard.enable=false

By default, the only issue the Polaris mutation webhook will modify is pullPolicyNotAlways. If you want to enable other mutations, you can set them via the webhook.mutatingRules flag, or you can change the mutatingRules section of your Polaris setup:

  enableMutation: true
  - cpuLimitsMissing
  - cpuRequestsMissing
  - dangerousCapabilities
  - deploymentMissingReplicas
  - hostIPCSet
  - hostNetworkSet
  - hostPIDSet
  - insecureCapabilities
  - livenessProbeMissing
  - memoryLimitsMissing
  - memoryRequestsMissing
  - notReadOnlyRootFilesystem
  - priorityClassNotSet
  - pullPolicyNotAlways

For a more in-depth look at this feature, see our blog post Kubernetes Mutations with Polaris: How it Works.

The polaris fix The mutant command and webhook is a great option for people manually deploying workloads to a Kubernetes cluster, but if you’re committing your code and infrastructure changes through a continuous integration system, you can also use Polaris .

Add Polaris to your continuous integration pipeline

Polaris can be installed and run in a continuous integration system like GitLab CI, Jenkins, CircleCI or CodeShip. Polaris will force your deployment process to complete under any conditions you set. For example, you can set an exit code if Polaris detects certain issues with your infrastructure-as-code YAML files or Helm charts, any danger level issues, or if the overall score drops below 75%. You can configure Polaris to display only your failed tests and print the results so that they are easier for a human to read. For this set of conditions, the Polaris configuration in your CI pipeline would look like this:

polaris audit --audit-path ./deploy/ 
  	--set-exit-code-below-score 75 
	--only-show-failed-tests true 

This method does not automatically fix problems discovered by Polaris, but it will show errors in the CI system logs.

Polaris can also be configured in GitHub Actions by following the instructions in the Polaris documentation.

Use Polaris in multiple clusters at once

If you have multiple clusters and want to use Polaris to analyze them all at once, Fairwinds offers a platform called Insights. Users can centrally manage Polaris across clusters in a consistent way to ensure your Kubernetes workloads are as efficient, reliable, and secure as possible.


*** This is a syndicated blog from the Fairwinds Security Bloggers Network | Blog written by Robert Brennan. Read the original post at: https://www.fairwinds.com/blog/k8s-tutorial-policy-engine-polaris-to-automate-fixes


About Author

Comments are closed.