K8s Tutorial: Using the Policy Engine, Polaris, to Automate Patches


In a previous blog post, we showed you how to install the policy engine, Polaris, and audit your Kubernetes workloads using the dashboard, an admission controller, and the CLI tool. In this tutorial, we go beyond just visualizing your Kubernetes efficiency, reliability, and security issues, and show you how to use Polaris to automate the fixes it finds.

Update your infrastructure as code with the Polaris CLI tool

Polaris can do more than just audit files from the command line. By using the polaris fix command, it can automatically review the YAML manifest of any issues it finds. For example, to troubleshoot any issues in the deployment directory, run:

polaris fix --files-path ./deploy/ --checks=all

Polaris may leave comments next to certain changes (e.g. liveness and readiness probes) prompting the user to set them to something more appropriate given the context of their application.

Not all problems can be solved automatically. Currently, only raw YAML manifests can be mutated. Helm cards still need to be edited manually (feature updates are coming soon on this front!).

Changing Webhook

By default, the Polaris commit webhook will block or allow a deployment, but you can configure Polaris to work as a mutating webhook that will automatically modify a deployment when a problem is detected, instead of terminating the operation.

For instructions on using Helm to install the validation webhook, see the Polaris Literature.

To enable the mutation webhook, you’ll set the webhook.mutate true flag. The full command is this:

helm upgrade --install polaris fairwinds-stable/polaris --namespace demo --create-namespace --set webhook.enable=true --set webhook.mutate=true --set dashboard.enable=false

By default, the only issue the Polaris mutation webhook will modify is pullPolicyNotAlways. If you want to activate other mutations, you can set them via the webhook.mutatingRules flag, or you can change the mutatingRules section of your Polaris setup:

  enableMutation: true
  - cpuLimitsMissing
  - cpuRequestsMissing
  - dangerousCapabilities
  - deploymentMissingReplicas
  - hostIPCSet
  - hostNetworkSet
  - hostPIDSet
  - insecureCapabilities
  - livenessProbeMissing
  - memoryLimitsMissing
  - memoryRequestsMissing
  - notReadOnlyRootFilesystem
  - priorityClassNotSet
  - pullPolicyNotAlways

To learn more about this feature, see our blog post Kubernetes mutations with Polaris: how does it work?.

The polaris fix The mutant command and webhook is a great option for people manually deploying workloads to a Kubernetes cluster, but if you’re committing your code and infrastructure changes through a continuous integration system, you can also use Polaris .

Add Polaris to your continuous integration pipeline

Polaris can be installed and run in a continuous integration system like GitLab CI, Jenkins, CircleCI or CodeShip. Polaris will force your deployment process to complete under any conditions you set. For example, you can set an exit code if Polaris detects certain issues with your infrastructure-as-code YAML files or Helm charts, any danger level issues, or if the overall score drops below 75%. You can configure Polaris to display only your failed tests and print the results so that they are easier for a human to read. For this set of conditions, the Polaris configuration in your CI pipeline would look like this:

polaris audit --audit-path ./deploy/ 
  	--set-exit-code-below-score 75 
	--only-show-failed-tests true 

This method does not automatically fix problems discovered by Polaris, but it will show errors in the CI system logs.

Polaris can also be installed in GitHub Actions following the instructions of Polaris Literature.

Use Polaris in multiple clusters at once

If you have multiple clusters and want to use Polaris to scan them all at once, Fairwinds offers a platform called Knowledge. Users can centrally manage Polaris across clusters in a consistent way to ensure your Kubernetes workloads are as efficient, reliable, and secure as possible.


*** This is a syndicated blog from the Security Bloggers Network of Fairwinds | Blog written by Robert Brennan. Read the original post at: https://www.fairwinds.com/blog/k8s-tutorial-policy-engine-polaris-to-automate-fixes

Source link


Comments are closed.