
Polaris 1.0: Best Practices for Kubernetes Workloads - bbrennan
https://www.fairwinds.com/blog/fairwinds-polaris-1.0-best-practices-for-kubernetes-workloads
======
atombender
I wonder if they looked at Cue [1], a data language that I think hits the
sweet spot between readability and power.

Cue is a spiritual successor to Google's Jsonnet, but corrects the latter's
design mistakes. Cue is quite simple, but also extremely readable. It looks
ideal for the sort of data-level validations that Polaris wants to do, without
having to express a DSL in YAML (which should be an antipattern by now) to do
it.

[1]
[https://cuelang.org/docs/tutorials/tour/intro/](https://cuelang.org/docs/tutorials/tour/intro/)

~~~
sandGorgon
Here's a much nicer explanation by the author.
[https://github.com/cuelang/cue/issues/33](https://github.com/cuelang/cue/issues/33)

------
RichieMartin
Cool project, congratulations on the launch!

How does this project relate to other tools in the same space, such as kube-
score [1] and popeye [2]?

From my point of view, the approach taken by for example kube-score where
resources are matched with each other to give a better overview is extremely
powerful, for example it will notice if a Service is misconfigured and
wouldn't match any Pods.

1: [https://github.com/zegl/kube-score](https://github.com/zegl/kube-score)

2: [https://github.com/derailed/popeye](https://github.com/derailed/popeye).

~~~
bbrennan
Popeye is a very cool project with the same general aim - it checks a lot of
the same things as Polaris. It's very much CLI-first (and does an amazing job
at that), while Polaris is happy to run as a CLI, a web dashboard, a
validating webhook, or a CI/CD check.

kube-score I hadn't heard of, but looks very cool. You're right on matching
resources - one of the requests we've gotten is to be able to check that every
deployment comes with a PDB, which it looks like kube-score checks. Definitely
a feature we're looking into!

------
stickydink
It's nice but, for the service, per-node pricing is frustrating. Maybe our
workload is unusual, but I'm running something at a reasonably small scale,
with about 30 nodes.

The cluster autoscaler has been so good that we've optimised for more, smaller
nodes, on spot instance pricing. At $79/node, that's about 4x the cost of the
actual instance itself...

And yet the actual cost of the services provided, don't _really_ seem to scale
with number of nodes? But then, I can't think of another metric to tie it to
easily

~~~
kenm47
the open source tool Polaris (what's quoted this article) is completely free
to use. There is a commercial product (Fairwinds Insights) that includes
Polaris among many other tools that costs 79$/node...

(disclaimer, I work at fairwinds)

------
bbrennan
Hey all - author here.

Just to clear up any confusion: Polaris is 100% free and open source, under
the Apache 2.0 License

Some of the questions below pertain to a commercial product, Fairwinds
Insights, which includes Polaris as a plug-in (as well as Goldilocks, kube-
bench, kube-hunter, and others). While Insights is a separate (paid) product,
it can help folks track the lifecycle of their Polaris findings, collate
results across clusters, set up Slack/Datadog alerts, etc.

Sorry if that wasn't clear from the article - happy to answer questions about
either!

------
battery423
Interesting but not interesting enough for us to have an opensource vendor
lock while the community builds opa.

Might be heavier (haven't seen a comparison so /shrug) but why would i set on
one horse while all others are setting on the other?

As a side note: Thats a ton of money for such a tool per node base

~~~
bbrennan
We're looking at building OPA support into Polaris as well, given how much the
community has invested in it. For all the promise of OPA, we haven't seen it
gain much traction outside of large enterprises, for many of the reasons we
outline in the article.

Polaris is also 100% free. My guess is you're referring to Insights[0], which
is a SaaS that incorporates Polaris, as well as several other open source
auditing tools. We do offer per-node discounts for customers with a large
number of nodes.

[0] [https://www.fairwinds.com/insights](https://www.fairwinds.com/insights)

