Polaris — Best Practices Validation for Kubernetes Clusters

Introduction

Polaris is an open-source tool by Fairwinds that validates Kubernetes resources against a configurable set of best practices. It catches misconfigurations — missing resource limits, containers running as root, missing health checks — before they cause outages or security incidents. Polaris runs as a CLI audit tool, a visual dashboard, or an admission controller that blocks non-compliant deployments.

What Polaris Does

• Audits Kubernetes workloads against security, reliability, and efficiency best practices
• Provides a web dashboard with a cluster-wide score and per-resource details
• Runs as a validating admission webhook to block non-compliant deployments at apply time
• Scans YAML files in CI/CD pipelines before resources reach the cluster
• Supports custom check definitions for organization-specific policies

Architecture Overview

Polaris reads Kubernetes resource specs (Deployments, StatefulSets, DaemonSets, Jobs, CronJobs) and evaluates them against a library of built-in checks. In dashboard mode, it connects to the Kubernetes API server, fetches all workloads, scores them, and renders results in a web UI. In webhook mode, it intercepts admission requests and rejects resources that fail critical checks. The CLI mode reads YAML files or connects to a cluster for one-shot audits, making it easy to integrate into CI pipelines.

Self-Hosting & Configuration

• Install the CLI via Homebrew, or deploy the dashboard and webhook via Helm chart
• Customize checks in a polaris.yaml config file to set severity levels and exemptions
• Deploy the admission webhook with helm install polaris fairwinds/polaris --set webhook.enable=true
• Integrate CLI audits into CI with polaris audit --audit-path ./manifests --set-exit-code-on-danger
• Exempt specific workloads or namespaces using annotations or config file rules

Key Features

• 30+ built-in checks covering security (runAsRoot, capabilities), reliability (probes, replicas), and efficiency (resource requests/limits)
• Three deployment modes: CLI, dashboard, and admission webhook
• Configurable severity levels (danger, warning, ignore) per check
• CI/CD integration with non-zero exit codes on policy violations
• Custom check support via JSON Schema for organization-specific rules

Comparison with Similar Tools

• Kubescape — broader security scanning including NSA/CISA frameworks but more complex
• Kyverno — policy engine that can mutate and generate resources, not just validate
• OPA/Gatekeeper — powerful policy language (Rego) but steeper learning curve
• Datree — similar best-practice checks but cloud-hosted policy management (deprecated)

FAQ

Q: Can Polaris block bad deployments automatically? A: Yes, deploy the validating admission webhook to reject resources that fail critical checks.

Q: Does Polaris scan existing resources or only new deployments? A: The dashboard and CLI audit existing resources. The webhook validates new and updated resources at admission time.

Q: Can I add custom checks? A: Yes, custom checks are defined as JSON Schema rules in the Polaris config file.

Q: Does Polaris support Helm charts? A: Polaris audits rendered Kubernetes manifests. Use helm template to render charts, then pipe to polaris audit --audit-path -.

Sources

• https://github.com/FairwindsOps/polaris
• https://www.fairwinds.com/polaris