# Polaris — Best Practices Validation for Kubernetes Clusters > Polaris audits your Kubernetes deployments against best practices for security, reliability, and efficiency, with a dashboard, CLI, and admission controller. ## Install Save in your project root: # Polaris — Best Practices Validation for Kubernetes Clusters ## Quick Use ```bash # Install Polaris CLI brew install FairwindsOps/tap/polaris # Audit the current cluster polaris audit --format=pretty # Audit a single YAML file polaris audit --audit-path deployment.yaml # Run the dashboard polaris dashboard --port 8080 ``` ## Introduction Polaris is an open-source tool by Fairwinds that validates Kubernetes resources against a configurable set of best practices. It catches misconfigurations — missing resource limits, containers running as root, missing health checks — before they cause outages or security incidents. Polaris runs as a CLI audit tool, a visual dashboard, or an admission controller that blocks non-compliant deployments. ## What Polaris Does - Audits Kubernetes workloads against security, reliability, and efficiency best practices - Provides a web dashboard with a cluster-wide score and per-resource details - Runs as a validating admission webhook to block non-compliant deployments at apply time - Scans YAML files in CI/CD pipelines before resources reach the cluster - Supports custom check definitions for organization-specific policies ## Architecture Overview Polaris reads Kubernetes resource specs (Deployments, StatefulSets, DaemonSets, Jobs, CronJobs) and evaluates them against a library of built-in checks. In dashboard mode, it connects to the Kubernetes API server, fetches all workloads, scores them, and renders results in a web UI. In webhook mode, it intercepts admission requests and rejects resources that fail critical checks. The CLI mode reads YAML files or connects to a cluster for one-shot audits, making it easy to integrate into CI pipelines. ## Self-Hosting & Configuration - Install the CLI via Homebrew, or deploy the dashboard and webhook via Helm chart - Customize checks in a `polaris.yaml` config file to set severity levels and exemptions - Deploy the admission webhook with `helm install polaris fairwinds/polaris --set webhook.enable=true` - Integrate CLI audits into CI with `polaris audit --audit-path ./manifests --set-exit-code-on-danger` - Exempt specific workloads or namespaces using annotations or config file rules ## Key Features - 30+ built-in checks covering security (runAsRoot, capabilities), reliability (probes, replicas), and efficiency (resource requests/limits) - Three deployment modes: CLI, dashboard, and admission webhook - Configurable severity levels (danger, warning, ignore) per check - CI/CD integration with non-zero exit codes on policy violations - Custom check support via JSON Schema for organization-specific rules ## Comparison with Similar Tools - **Kubescape** — broader security scanning including NSA/CISA frameworks but more complex - **Kyverno** — policy engine that can mutate and generate resources, not just validate - **OPA/Gatekeeper** — powerful policy language (Rego) but steeper learning curve - **Datree** — similar best-practice checks but cloud-hosted policy management (deprecated) ## FAQ **Q: Can Polaris block bad deployments automatically?** A: Yes, deploy the validating admission webhook to reject resources that fail critical checks. **Q: Does Polaris scan existing resources or only new deployments?** A: The dashboard and CLI audit existing resources. The webhook validates new and updated resources at admission time. **Q: Can I add custom checks?** A: Yes, custom checks are defined as JSON Schema rules in the Polaris config file. **Q: Does Polaris support Helm charts?** A: Polaris audits rendered Kubernetes manifests. Use `helm template` to render charts, then pipe to `polaris audit --audit-path -`. ## Sources - https://github.com/FairwindsOps/polaris - https://www.fairwinds.com/polaris --- Source: https://tokrepo.com/en/workflows/374fe27c-3998-11f1-9bc6-00163e2b0d79 Author: AI Open Source