# Admission Controller

Want to manage the Admission Controller across multiple clusters? Check out Fairwinds Insights (opens new window)

Polaris can be run as an admission controller that acts as a validating webhook. This accepts the same configuration as the dashboard, and can run the same validations.

The webhook will reject any workloads that trigger a danger-level check. This is indicative of the greater goal of Polaris, not just to encourage better configuration through dashboard visibility, but to actually enforce it with this webhook.

Note that Polaris will not alter your workloads, only block workloads that don't conform to the configured policies.

# Installation

A valid TLS certificate is required for the Polaris Validating Webhook. If you have cert-manager installed in your cluster then the install methods below will work.

If you don't use cert-manager, you'll need to:

  • Supply a CA Bundle with the webhook.caBundle
  • Create a TLS secret in your cluster with a valid certificate that uses that CA
  • Pass the name of that secret with the webhook.secretName parameter.

# Helm

helm repo add fairwinds-stable https://charts.fairwinds.com/stable
helm upgrade --install polaris fairwinds-stable/polaris --namespace polaris --create-namespace \
  --set webhook.enable=true --set dashboard.enable=false

# Workload Types

The webhook comes with built-in support for a handful of known controller types, such as Deployments, Jobs, and DaemonSets. To add new controller types, you can set webhook.rules in the Helm chart (opens new window)

# Warnings

Unfortunately we have not found a way to display warnings as part of kubectl output unless we are rejecting a workload altogether.

This means that any checks with a severity of warning will still pass webhook validation, and the only evidence of that warning will either be in the Polaris dashboard or the Polaris webhook logs. This will change in a future version of Kubernetes.

# Mutating Webhook

By default, the Admission Controller is just pass/fail, but Polaris can also operate as a mutating webhook for many of the issues it checks for. This means Polaris will remediate the issue it finds, rather than rejecting the deployment.

To enable the mutating webhook, add --set webhook.mutate=true to your Helm installation command.

The following default checks currently have mutation support enabled:

  • hostPIDSet
  • hostNetworkSet
  • hostIPCSet
  • priorityClassNotSet
  • hostPortSet
  • pullPolicyNotAlways
  • deploymentMissingReplicas
  • dangerousCapabilities
  • cpuLimitsMissing
  • memoryLimitsMissing
  • livenessProbeMissing
  • memoryRequestsMissing
  • cpuRequestsMissing
  • runAsPrivileged
  • readinessProbeMissing
  • privilegeEscalationAllowed
  • notReadOnlyRootFilesystem
  • insecureCapabilities
  • runAsRootAllowed

If you'd like to enable other mutations, you can set the webhook.mutations flag.