Validation of best practices in your Kubernetes clusters

An update configuration schema should be designed that will support all of the existing validations along with all planned validations before v1, including:

• Pull policy always (warning)
• No host networking
• No host port
• No host IPC
• No host pid
• Restricting kernel capabilities by default like SYS_ADMIN (warning)
• No privileged containers (warning)
• No root user (warning)
• Should use read only root filesystem (warning)
• Don't mount /var/run/docker.sock

As is likely obvious here, this will also need to find some kind of way to differentiate from errors and warnings.

Installation Process

Docker

Polaris Version

3.2.1

Expected Behavior

Expected audit to run

Actual Behavior

WARN[0000] An error occurred validating controller:Check metadataAndNameMismatched not found 
ERRO[0000] Error while running audit on resources: Check metadataAndNameMismatched not found

Steps to Reproduce

docker run -ti \
  -v "$PWD/pwd" -v ~/github/k8s:/k8s \
  -v ~/.kube/config:/opt/app/config:ro \
  quay.io/fairwinds/polaris:3.2.1 polaris audit \
    --kubeconfig /opt/app/config \
    --audit-path /pwd \
    --config /k8s/polaris-config.yaml \
    -f pretty --only-show-failed-tests
WARN[0000] An error occurred validating controller:Check metadataAndNameMismatched not found 
ERRO[0000] Error while running audit on resources: Check metadataAndNameMismatched not found

The config file I am using is copied from here:

https://raw.githubusercontent.com/FairwindsOps/polaris/master/examples/config.yaml

Awesome project! It works for me with a port-forward, but not with -dashboard-path-prefix. After this change I can load the dashboard with a base path (/polaris/ in my case), but I haven't tested building a Docker image for my cluster yet.

~~Btw, I was unable to sign the CLA at https://cla-assistant.io/fairwinds/polaris (404)~~ With ?pullRequest=201 I could sign the CLA.

Installation Process

EKS cluster, version 1.15, using helm.

Command line:

$ helm upgrade --install polaris fairwinds-stable/polaris --version 1.0.2 --namespace kube-system -f polaris-values.yaml

polaris-values.yaml contents:

# Override the tag provided in the chart as the unconstrained "1.0"
# to be the more constrained "1.0.3" (a specific release).
image:
  tag: "1.0.3"

# Enable the dashboard over HTTP for internal users
dashboard:
  enable: true
  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: nginx-ingress-private
    hosts:
      - "polaris.internal.domain"

Polaris Version

Version 1.0.3 Docker Image

$ k -n kube-system get deploy polaris-dashboard -o wide
NAME                READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS   IMAGES                            SELECTOR
polaris-dashboard   1/1     1            1           15d   dashboard    quay.io/fairwinds/polaris:1.0.3   app=polaris,app.kubernetes.io/instance=polaris,app.kubernetes.io/name=polaris,component=dashboard

Expected Behavior

The dashboard should be working.

Actual Behavior

Webpage with contents:

Error fetching Kubernetes resources

Logs from container:

$ k -n kube-system logs polaris-dashboard-dcb6c8b9c-9bpkw 
time="2020-06-04T17:36:42Z" level=info msg="Starting Polaris dashboard server on port 8080"
time="2020-06-04T17:37:04Z" level=error msg="Cache missed ReplicaSet/prod/telbot-gunicorn-7844c9db9d again"
time="2020-06-04T17:37:04Z" level=error msg="Error loading controllers from pods: Could not retrieve parent object"
time="2020-06-04T17:37:04Z" level=error msg="Error fetching Kubernetes resources Could not retrieve parent object"

CURL output of same request:

$ curl -v -L 'http://polaris.internal.domain/'
* About to connect() to polaris.internal.domain port 80 (#0)
*   Trying 10.100.25.113...
* Connected to polaris.internal.domain (10.100.25.113) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: polaris.internal.domain
> Accept: */*
> 
< HTTP/1.1 500 Internal Server Error
< Date: Thu, 04 Jun 2020 17:44:50 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 36
< Connection: keep-alive
< Server: nginx/1.17.8
< X-Content-Type-Options: nosniff
< 
Error fetching Kubernetes resources
* Connection #0 to host polaris.internal.domain left intact

Steps to Reproduce

1. Install with helm.
2. Open dashboard web interface.
3. Get Error fetching Kubernetes resources error message

Additional information

I'm not sure what further information to provide to help diagnose this issue.

Addresses https://github.com/reactiveops/polaris/issues/124

Uses whatever the user specifies as --cluster-name, falling back to the host named in kubeconfig. Doesn't look like we can get the name field: https://github.com/kubernetes/client-go/issues/530

Any potential issues with surfacing the host in the dashboard? E.g. could it have basic auth creds?

Here's what it looks like:

Hi,

I installed polaris 1.2 by applying the yaml file, I can access the page, but, some contents are not loaded.

In a post, I saw about this parameter : --dashboard-base-path="/polaris/" but I did not see how to use it .

This is my ingress configuration:

apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/rewrite-target: "/$1" nginx.ingress.kubernetes.io/configuration-snippet: | rewrite ^(/polaris)$ $1/ permanent; name: polaris namespace: polaris spec: rules:

• host: hostname http: paths:
  • path: /polaris/?(.*) backend: serviceName: polaris-dashboard servicePort: 80

Thanks for your help

Not entirely sure that your check for runAsNonRoot is working, or we mis-understand exactly what it's checking. We have a pod running which is set at the pod level as below, yet reactive is still saying it shouldn't run as root... which it isn't. Since the securityContext at the container level is only for overriding what is set at the pod level I hope that being set at the pod level is enough. Any ideas?

securityContext: runAsNonRoot: true runAsUser: 5000

I added a Github Action to add polaris as executable to the GitHub Action runners.

The script downloads the specified polaris version (by tag) and links it to the runners' path.

It is rather verbose and written in a startup-like code manner but it should be well enough for a first version. We already use my action in our CI now (https://github.com/mambax/setup-polaris - a clone before contribution) and it works as planned 🤝

Some resources: https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#runs-for-docker-actions https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses

Note: In this, I also created https://github.com/github/docs/pull/3468 towards the Github Docs because I nearly went crazy because my Dockerfile_Action did not work (just as a hint for later).

Btw: Once merged to your side and you being happy with it, you can list it in the GH marketplace also.

Installation Process

Polaris dashboard was installed with helm on a kubernetes cluster. Chart version : "1.1.0"

Polaris Version

Polaris version:1.1.1

Expected Behavior

After setting up the current exemptions in the polaris configmap, through helm and a value file:

    - controllerNames:
      - prometheus-prometheus-operator-prometheus
      rules:
      - readinessProbeMissing
      - livenessProbeMissing
    - controllerNames:
      - prometheus-prometheus-operator-prometheus
      rules:
      - notReadOnlyRootFilesystem

I can correctly see my polaris dashboard listing the component as green:

I expect that running polaris audit -c config (where config contains a list of the mentioned exemptions) I would get the same green status on all components.

Actual Behavior

However, when running polaris audit -c config (where config contains a list of the mentioned exemptions) I get:

  {
     "Name": "prometheus-operator-prometheus",
     "Namespace": "monitoring",
     "Kind": "Prometheus",
     "Results": {},
...
       "ContainerResults": [
         {
           "Name": "prometheus",
           "Results": {
...
             "notReadOnlyRootFilesystem": {
               "ID": "notReadOnlyRootFilesystem",
               "Message": "Filesystem should be read only",
               "Success": false,
               "Severity": "warning",
               "Category": "Security"
             },
....
         {
           "Name": "prometheus-config-reloader",
           "Results": {
...
             "livenessProbeMissing": {
               "ID": "livenessProbeMissing",
               "Message": "Liveness probe should be configured",
               "Success": false,
               "Severity": "warning",
               "Category": "Health Checks"
             },

Namely polaris dashboard lists the component correctly with the name it has on my cluster: prometheus-prometheus-operator-prometheus

The audit, for some reason, lists it as prometheus-operator-prometheus. I think it might be due to the lenght of the controller name or a difference between the chart and the cli versions. Could you confirm?

Installation Process

Downloaded and untar'd the tar and placed binary in path. Mint Linux 19.3

Polaris Version

Polaris version 0.6.0

Expected Behavior

The documenation (Usage) describes running top level commands without dashes like this:

polaris version

Actual Behavior

On Linux this just runs audit:

polaris version
# => Full audit output

To run version (or help/dashboard etc...) you need to add dashes:

polaris --version
# =>Polaris version 0.6.0

I am not sure how it acts on Mac, but I think it may be a build config missing in the Linux binary?

Polaris needs some additional validational checks like Pod's restart policy or maxretries so that it can monitor the usage of such parameters in the kubernetes deployment.

Reason to add: The containers get restarted constantly whenever they fail. This might be because of system issues or some other factors. It will keep on failing even if it retries a lot of time. If we don’t have the maxRetries on our pod/deployment, the pod will always retry, however it will not succeed and retries take a lot of time and resource.

• Add persistentpostrun to root cmd and postrun to version cmd
• Change PLG link
• Add PLG link to dashboard

This PR fixes #

Checklist

• [x] I have signed the CLA
• [x] I have updated/added any relevant documentation

Description

What's the goal of this PR?

What changes did you make?

What alternative solution should we consider, if any?

Bumps sigs.k8s.io/controller-runtime from 0.13.0 to 0.14.1.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Hello all I am on windows 10, I want to use the Dashboard with docker desktop windows I see the error: Error fetching Kubernetes resource

I see in the logs

time="2022-12-21T21:38:42Z" level=info msg="Starting Polaris dashboard server on port 8080" time="2022-12-21T21:38:46Z" level=error msg="Error fetching Cluster API version: Get https://kubernetes.docker.internal:6443/version?timeout=32s: dial tcp 192.168.65.4:6443: connect: connection refused" time="2022-12-21T21:38:46Z" level=error msg="Error fetching Kubernetes resources Get https://kubernetes.docker.internal:6443/version?timeout=32s: dial tcp 192.168.65.4:6443: connect: connection refused" time="2022-12-21T21:38:49Z" level=error msg="Error fetching Cluster API version: Get https://kubernetes.docker.internal:6443/version?timeout=32s: dial tcp 192.168.65.4:6443: connect: connection refused" time="2022-12-21T21:38:49Z" level=error msg="Error fetching Kubernetes resources Get https://kubernetes.docker.internal:6443/version?timeout=32s: dial tcp 192.168.65.4:6443: connect: connection refused" time="2022-12-23T09:15:25Z" level=error msg="Error fetching Cluster API version: Get https://kubernetes.docker.internal:6443/version?timeout=32s: dial tcp 192.168.65.4:6443: connect: connection refused" time="2022-12-23T09:15:25Z" level=error msg="Error fetching Kubernetes resources Get https://kubernetes.docker.internal:6443/version?timeout=32s: dial tcp 192.168.65.4:6443: connect: connection refused"

I run the command:

docker run -d -p 8082:8080 -v %USERPROFILE%/.kube/config:/opt/app/config:ro quay.io/fairwinds/polaris:1.2 polaris dashboard --kubeconfig /opt/app/config

Thanks

if the cluster has a windows node then there is a chance that Polaris won't start because of lack windows images 🤷‍♂️

workaround: kubectl -n polaris edit deployment polaris-dashboard and add

nodeSelector:
  kubernetes.io/os: linux

Bumps k8s.io/apimachinery from 0.25.3 to 0.26.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps k8s.io/client-go from 0.25.3 to 0.26.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.