# Insights Architecture
Fairwinds Insights consists of two main components:
- The Client - this consists of the users' cluster, where the Insights Agent runs each of the enabled reports
- The Server - this consists of the Insights backend, database, and file storage
While each report has its own requirements, there are some baseline requirements needed by the Insights Agent:
- Sufficient RBAC permissions to create new Jobs in the cluster
- Network access to
Additional architecture notes and RBAC requirements for different reports are listed below. Note that the Insights Agent only requires egress from the cluster - you will not need to open up access for any kind of network ingress.
# Network Egress
Fairwinds Insights will need access to the following base URLs:
# API (all methods)
# Docker Images (pull only)
# Supplementary Data (GET only)
- raw.githubusercontent.com/FairwindsOps/* (goldilocks)
- github.com/aquasecurity/* (trivy)
- artifacthub.io/api/v1/* (nova)
# Report Architectures
Typically, each report runs as a CronJob on a configurable schedule (usually once/hour by default).
The report will analyze resources in the cluster, then send a JSON report with its findings
Any exceptions or additions to this flow are listed below.
In addition to the typical cronjob, Goldilocks will run a long-lived Deployment for controlling
VPA objects. Goldilocks will add a VPA (in
recommend mode) to any incoming Deployment in order to
provide resource recommendations.
Goldilocks needs access to
raw.githubusercontent.com in order to access the CRDs for VPA objects,
which will be installed in the cluster alongside the Insights Agent.
Goldilocks also requires a metrics-server installation.
kube-bench can run in one of two modes:
cronjob(default) - this runs the report for a single node
daemonset- this runs the report on all nodes
If your nodes are homogenous (i.e. you only have a single node pool), the
is sufficient. But if your nodes have different configurations, you'll likely want to run
kube-bench as a DaemonSet.
kube-bench needs access to some resources on the node in order to perform its audit, including:
- root access
kube-hunter runs in pod mode (opens new window) in order to discover what running a malicious container can do/discover on your cluster.
kubesec only needs
view access to the cluster in order to analyze workloads for misconfigurations.
Nova needs access to
Secrets, which contain metadata about installed Helm charts.
Nova will also need network access to any third-party Helm repositories from which Helm charts have
been installed (e.g.
Nova will find all Helm charts installed in the cluster, then cross-check those charts with the upstream repositories to check for new versions.
The OPA report will reach out to the Insights API to pull down any Rego policies that have been added to your
organization. It will need
view access to the cluster in order to run those policies against existing resources.
view access to the cluster in order to check for deprecated API versions.
view access to the cluster in order to analyze workload configurations. It also needs
access to Secrets in order to examine Helm charts.
# RBAC Reporter
RBAC Reporter needs
view access to the cluster to aggregate information about RBAC roles and bindings.
Trivy will download a list of known CVEs from GitHub (opens new window), then cross-check these against images in your cluster.
You may need to grant Trivy access to private images if your nodes don't automatically have access to your private Docker registries.
The Workloads report only needs
view access to your cluster.
# RBAC requirements
Each Fairwinds Insights plugin requires a unique set of permissions in order to do its job. Here we provide a list of permissions requested by each plugin - you can also review the helm chart (opens new window) to see the exact RBAC configurations for each plugin.
Notably, some plugins require read access to secrets. This is because they examine Helm 3
releases, which store metadata inside of a
If a particular plugin requires permissions that you're uncomfortable with, you can disable it
in the Helm chart by adding
# Permission List
|Plugin||View Secrets||View Resources (non-secrets)||Other/Notes|
|Release Watcher||✅||✅||Needs secrets to view Helm releases|
|Pluto||✅||✅||Needs secrets to view Helm releases|