Operationalize Kubernetes Open Source Tools at Scale With Fairwinds Insights

At Fairwinds, we have a long history managing hundreds of Kubernetes clusters across dozens of organizations. To manage that complexity and keep our customers online and operational, we needed a way to keep track of how healthy those clusters were, particularly in terms of security, efficiency and reliability. So we built Fairwinds Insights, a platform for running different Kubernetes auditing tools and aggregating the results into a single dashboard.

Fairwinds Insights provides multi-cluster visibility into your Kubernetes environments by integrating an extensible set of trusted open source auditing tools into a single platform. Fairwinds Insights runs across the entire development life cycle, from continuous integration (CI) to Admission to Production.

Continuous Integration

It was important to us that Insights caught issues early in the development process, so we could stop problems from ever reaching a live cluster. So, our first step was to integrate Insights into the Continuous Integration (CI) process for infrastructure-as-code. When you add Fairwinds Insights into your CI process, you can catch image vulnerabilities and Kubernetes misconfigurations early in the development process.

Insights can scan changes in each pull request, so you can notify developers or block merges whenever there are security, efficiency or reliability issues. To find these issues, Insights runs the following report types in CI:

  • Polaris: configuration validation for best practices
  • Trivy: scan Docker images for vulnerabilities
  • Open Policy Agent: (aka OPA) run custom policies
  • Pluto: detect deprecated resources

Connecting Insights to your GitHub repository will help you get the most out of the CI integration, but you can still use the CI feature without GitHub. (If you’re using Gitlab, Bitbucket or another Git host, let us know!) Learn more about the configuration in our docs.

Admission Controller

Fairwinds Insights can also run as an Admission Controller. This will reject any Kubernetes resources from entering your cluster if they don’t conform to your organization’s policies. The Admission Controller is adds an extra layer of protection, in case something slips through the CI process, or someone adds a resource to the cluster without using the infrastructure-as-code repository. Fairwinds also provides a powerful, flexible solution for fine-grained customization of the Admission Controller via automation rules.

Insights Agent

Finally, Insights also offers an In-Cluster Agent to scan for issues already inside your cluster. The agent generates reports every hour, and sends the data back to Fairwinds Insights. User can enable or disable several different open source reporting tools (such as Polaris, Trivy, Prometheus Collector, and Goldilocks), and can configure them independently using the Report Hub.

Findings and recommendations are stored in a single location, enabling operators to gain visibility and control over multiple Kubernetes clusters, track and prioritize issues, and monitor the security and cost of Kubernetes workloads.

OPA and Fairwinds Insights

We’ve integrated OPA into Fairwinds Insights in three major ways:

  1. As a CI/CD hook, auditing Infrastructure-as-Code as part of the code review process
  2. As an Admission Controller (aka Validating Webhook), which will stop problematic resources from entering the cluster
  3. As an in-cluster agent, repeatedly scanning for problematic resources

By using Fairwinds Insights and OPA together, organizations can proactively align their Kubernetes clusters with both best practices and internal policies. Furthermore, the ability to run OPA at each step in the development and deployment process helps surface issues early on, before they make it into the cluster, leading to an easier hand-off between Dev and Ops. Even better, Insights can take the same OPA policies and federate them out to all three contexts, and to as many clusters as you’d like.

Minimized Complexity

The Insights platform enables DevOps teams to find and prevent configuration problems as applications move from development to production. By integrating with these tools, Insights helps teams operationalize open source at scale. You can learn more by reading Insights documentation or by starting a trial.

Fairwinds — The Kubernetes Enablement Company | Editor of uptime 99