An Easier Way to Audit your Kubernetes Infrastructure: Self-hosted Fairwinds Insights
We’re excited to announce that a self-hosted release of Fairwinds Insights is now in beta!
About two years ago, we launched Polaris, a project that helps teams apply policies and best practices to Kubernetes resources. The project has been rapidly adopted by the Kubernetes community, and we seem to have found a pain point that many organizations are struggling with. Community feedback from thousands of users has led to a number of improvements in Polaris, but there were also requests for more enterprise-friendly features that would violate Polaris’ “do one thing well” philosophy; features like tracking findings over time, assigning action items to the right engineers, and mapping the data to Slack, GitHub, Datadog, or wherever else their engineering teams might live.
To address these needs, we built a SaaS offering, Fairwinds Insights. Fairwinds Insights can ingest data from Polaris, as well as nearly a dozen other Kubernetes audits (like Trivy, Goldilocks, and kube-bench), and put all the results inside a single pane of glass. So far Fairwinds Insights has helped over 200 organizations better understand and harden their Kubernetes environments, making them more secure, efficient, and reliable.
However, we found that some Polaris users had business requirements that made it hard to upgrade. They liked the fact that Polaris ran entirely in their own environment — no need to worry about shipping data off to a third-party. This concern was especially common with enterprises in data-sensitive industries like healthcare and finance.
Fairwinds Insights should only add value on top of Polaris, so we’ve worked hard for the past few months to build a version of Insights that can run entirely within the customer’s environment. Even better, we’ve made the first 30 days free!
How it Works
To try out Fairwinds Insights inside your own environment, you simply need to
(note — currently, you’ll need to speak with our team to obtain an installation code)
helm repo add fairwinds-stable https://charts.fairwinds.com/stable helm install fairwinds-insights fairwinds-stable/fairwinds-insights \
If you’re already using Polaris, you can also pass in an existing Polaris configuration using the
polaris.config parameter. This is helpful if you've built some custom checks or configured custom severities and exemptions.
Once the deployment is running, you can access the dashboard by running:
kubectl port-forward -n fairwinds-insights svc/fairwinds-insights-dashboard 8080:80
See the documentation for details on how to set up a more permanent ingress, as well as other good hardening practices.
Note that you’ll still need to sign up for an account — the application will share the following details with our SaaS in order to track the duration of your trial and size of your environment:
- user names and email addresses
- number of clusters
- number of nodes
But that’s it! All data related to security, as well as potentially sensitive information like namespace names, RBAC roles, and image SHAs, are kept private to your environment.
Pros and Cons
Of course, hosting your own software can come with some headaches as well. As easy as it is to get Fairwinds Insights running in your environment, you’ll want to spend some time hardening your installation if you’re planning to use it long-term.
One of the biggest pros of a self-hosted deployment is the security exposure. Sending vulnerability data to a third-party can make security teams shudder, and might prevent you from ever trying out Fairwinds Insights as a SaaS. It can also help to satisfy compliance requirements, like keeping data collocated in a particular region.
Which leads to another benefit — a self-hosted installation can be easier to sell internally. Some folks have told us they’d have to go through a security review before trialing a SaaS, but that they could get started with a self-hosted installation right away. We’re hoping this option reduces friction for folks that are interested in seeing what Fairwinds Insights has to offer.
Last, with a self-hosted installation, you’ll have more control over how and when you upgrade to new versions of Insights. We only offer the latest version via the SaaS, so if you want to ensure the UI never changes or that you won’t have to upgrade the agent, a self-hosted installation could be attractive.
The biggest downside to self-hosting any piece of software is that you’re now responsible for the infrastructure that runs it.
First, you’ll need to ensure that everything is secure. Luckily, Insights will scan itself, and alert you to any vulnerabilities that might find their way in due to misconfiguration or a stale deployment.
Second, reliability could become an issue. Kubernetes can be nicely self-healing, but you probably won’t get the same level of uptime you would when using the SaaS.
Finally, you’ll need to have a good plan for data storage and backup. While Insights ships with ephemeral instances of Postgres and Minio, you’ll probably want to set up an RDS instance and an S3 bucket for more durable storage and regular backups.
Try it Out!
If you’d like to try Fairwinds Insights inside your own environment, reach out to our team and let us know. We’d also love to hear feedback on your experience! Feel free to reach out in our Slack community or email firstname.lastname@example.org if you’d like to get in touch.