fairwinds-stable/polaris

Chart version: 3.0.1
Api version: v1
App version: 3.0
Validation of best practices in your Kubernetes clusters
application
Chart Type
Active
Status
Unknown
License
5992
Downloads
https://charts.fairwinds.com/stable
Set me up:
helm repo add center https://repo.chartcenter.io
Install Chart:
helm install polaris center/fairwinds-stable/polaris
Versions (0)

Polaris

Polaris is a tool for auditing and enforcing best practices in Kubernetes.

Installation

We recommend installing polaris in its own namespace.

Dashboard

helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris

Webhook

A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the helm install below will work.

If you don’t use cert-manager, you’ll need to: * Supply a CA Bundle with the webhook.caBundle * Create a TLS secret in your cluster with a valid certificate that uses that CA * Pass the name of that secret with the webhook.secretName parameter.

helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm install polaris fairwinds-stable/polaris --namespace polaris --set webhook.enable=true --set dashboard.enable=false

A Note on Chart Version 0.10.0+

Due to the deprecation of various extensions/v1beta1 API’s, the 0.10.0 version of this chart will only work on kubernetes 1.14.0+

Values

Key Type Default Description
config string nil The (polaris configuration)[https://github.com/FairwindsOps/polaris#configuration]. If not provided then the (default)[https://github.com/FairwindsOps/polaris/blob/master/examples/config.yaml] config from Polaris is used.
image.repository string "quay.io/fairwinds/polaris" Image repo
image.tag string "" The Polaris Image tag to use. Defaults to the Chart’s AppVersion
image.pullPolicy string "Always" Image pull policy
image.pullSecrets list [] Image pull secrets
rbac.enabled bool true Whether RBAC resources (ClusterRole, ClusterRolebinding) should be created
serviceAccount.create bool true Specifies whether a service account should be created
serviceAccount.name string nil The name of the service account to use.
templateOnly bool false Outputs Namespace names, used with helm template
dashboard.basePath string nil Path on which the dashboard is served. Defaults to /
dashboard.enable bool true Whether to run the dashboard.
dashboard.replicas int 1 Number of replicas to run.
dashboard.resources object {"limits":{"cpu":"150m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}} Requests and limits for the dashboard
dashboard.service.type string "ClusterIP" Service Type
dashboard.service.annotations object {} Service annotations
dashboard.nodeSelector object {} Dashboard pod nodeSelector
dashboard.tolerations list [] Dashboard pod tolerations
dashboard.ingress.enabled bool false Whether to enable ingress to the dashboard
dashboard.ingress.hosts list [] Web ingress hostnames
dashboard.ingress.annotations object {} Web ingress annotations
dashboard.ingress.tls list [] Ingress TLS configuration
dashboard.priorityClassName string nil Priority Class name to be used in deployment if provided.
webhook.enable bool false Whether to run the Validating Webhook
webhook.replicas int 1 Number of replicas
webhook.nodeSelector object {} Webhook pod nodeSelector
webhook.tolerations list [] Webhook pod tolerations
webhook.caBundle string nil CA Bundle to use for Validating Webhook instead of cert-manager
webhook.secretName string nil Name of the secret containing a TLS certificate to use if cert-manager is not used.
webhook.failurePolicy string "Fail" failurePolicy for the ValidatingWebhookConfiguration
webhook.matchPolicy string "Exact" matchPolicy for the ValidatingWebhookConfiguration
webhook.namespaceSelector object {"matchExpressions":[{"key":"control-plane","operator":"DoesNotExist"}]} namespaceSelector for the ValidatingWebhookConfiguration
webhook.objectSelector object {} objectSelector for the ValidatingWebhookConfiguration
webhook.rules list [] An array of additional for the ValidatingWebhookConfiguration. Each requires a set of apiGroups, apiVersions, operations, resources, and a scope.
webhook.defaultRules list [{"apiGroups":["apps"],"apiVersions":["v1","v1beta1","v1beta2"],"operations":["CREATE","UPDATE"],"resources":["daemonsets","deployments","statefulsets"],"scope":"Namespaced"},{"apiGroups":["batch"],"apiVersions":["v1","v1beta1"],"operations":["CREATE","UPDATE"],"resources":["jobs","cronjobs"],"scope":"Namespaced"},{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE","UPDATE"],"resources":["pods","replicationcontrollers"],"scope":"Namespaced"}] An array of rules for common types for the ValidatingWebhookConfiguration
webhook.resources object {"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}} Requests and limits for the webhook.
webhook.priorityClassName string nil Priority Class name to be used in deployment if provided.
audit.enable bool false Runs a one-time audit. This is used internally at Fairwinds, and may not be useful for others.
audit.cleanup bool false Whether to delete the namespace once the audit is finished.
audit.outputURL string "" A URL which will receive a POST request with audit results.