Making sure you have the most recent version of software you install in a Kubernetes cluster helps you avoid known security issues and have access to the most up-to-date project features. If you use Helm to manage your releases, Fairwinds Nova can help you find outdated or deprecated Helm charts running in your cluster. You can run Nova from your command line, or integrate it into your continuous integration process, and as of version 3.1.0, you can scan containers.
Install Nova using asdf, Homebrew, from the source code or from GitHub Releases. The comprehensive set of installation instructions is in the Nova Docs. In this article we demonstrate how to install Nova from the GitHub Releases page.
First, visit the releases page and find the release that is right for your environment. For example, on a Linux machine with an amd64 processor, you will want to download the release for Linux amd64.
Run the following command to download and install Nova:
curl -L "https://github.com/FairwindsOps/nova/releases/download/3.2.0/nova_3.2.0_linux_amd64.tar.gz" > nova.tar.gz
tar -xvf nova.tar.gz
sudo mv nova /usr/local/bin/Next, check that the installation worked by running the help command:
nova helpYou should see a list of Nova commands and options, like this:
fairwinds tool to check for updated chart releases.
Usage:
nova [flags]
nova [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
find Find out-of-date deployed releases.
generate-config Generate a config file.
help Help about any command
version Prints the current version.
Flags:
--alsologtostderr log to standard error as well as files (default true)
--config string Config file to use. If empty, flags will be used instead
--context string A context to use in the kubeconfig.
-d, --desired-versions stringToString A map of chart=override_version to override the helm repository when checking. (default [])
-h, --help help for nova
-a, --include-all Show all charts even if no latest version is found.
--logtostderr log to standard error instead of files (default true)
--output-file string Path on local filesystem to write file output to
--poll-artifacthub When true, polls artifacthub to match against helm releases in the cluster. If false, you must provide a url list via --url/-u. Default is true. (default true)
--show-old Only show charts that are not on the latest version
-u, --url strings URL for a helm chart repo
-v, --v Level number for the log level verbosity
--wide Output chart name and namespace
Use "nova [command] --help" for more information about a command.The fastest way to run Nova is from your command line. To scan the Helm charts installed in the Kubernetes cluster you are currently authenticated to, run the command:
nova findYou will see a list of your Helm releases, the version of the Helm chart that is installed in your cluster, the latest available version and whether or not your version is out of date.
Release Name Installed Latest Old Deprecated
============ ========= ====== === ==========
kube-prometheus-stack 26.1.0 37.3.0 true false
metrics-server 3.8.0 3.8.2 true false
vpa 1.4.0 1.4.0 false falseFor more information about these Helm releases, including which namespace they are running in, invoke the command:
nova find –wideRelease Name Chart Name Namespace HelmVersion Installed Latest Old Deprecated
============ ========== ========= =========== ========= ====== === ==========
kube-prometheus-stack kube-prometheus-stack demo 3 26.1.0 37.3.0 true false
metrics-server metrics-server demo 3 3.8.0 3.8.2 true false
vpa vpa demo 3 1.4.0 1.4.0 false falseTo update your Helm release, copy the latest version number of the chart, and run the `helm upgrade` command. In our example, the metrics-server chart version is out of date, so to update it we would run:
helm upgrade metrics-server metrics-server/metrics-server --version 3.8.2If a chart is deprecated, you will see this:
Release Name Installed Latest Old Deprecated
============ ========= ====== === ==========
kubewatch 3.3.4 3.3.4 false trueA deprecated chart should receive special attention because it means that the project is no longer maintained and there will be no other updates. The longer deprecated software is deployed, the more brittle and attack-prone it becomes. Popular projects that are deprecated often change names or Helm repos URLs, and the documentation for the deprecated chart will point you to the new project, or offer alternatives that you should consider.
Note: At the time of this article, Nova has an interesting issue with deprecated charts and artifacthub.io. In order to generate the output shown above, we had to disable artifacthub.io scanning and poing Nova directly at the chart repository for kubewatch. The command used to do this is:
nova find --poll-artifacthub=false --url=https://charts.bitnami.com/bitnamiThe issue with artifacthub.io has to do with the fact that we don't know the actual source repository that an installed Helm release came from. This is currently being actively discussed as a modification to Helm in this Helm improvement proposal (HIP). Additionally, we are tracking the issue here in Github.
Recently, Nova added a new container scanning feature. See this in action by running the `nova find` command with the `--containers` flag:
nova find --containersContainer Name Current Version Old Latest Latest Minor Latest Patch
============== =============== === ====== ============= =============
quay.io/prometheus/alertmanager v0.23.0 true v0.24.0 v0.23.0 v0.23.0
quay.io/prometheus-operator/prometheus-config-reloader v0.53.1 true v0.58.0 v0.53.1 v0.53.1
quay.io/kiwigrid/k8s-sidecar 1.14.2 true 1.19.2 1.19.2 1.14.3
grafana/grafana 8.3.3 true 9.0.4 8.5.9 8.3.10
k8s.gcr.io/kube-state-metrics/kube-state-metrics v2.3.0 true v2.5.0 v2.5.0 v2.3.0
quay.io/prometheus-operator/prometheus-operator v0.53.1 true v0.58.0 v0.53.1 v0.53.1
docker.io/bitnami/kubewatch 0.1.0-debian-10-r571 true 0.1.0 0.1.0-debian-10-r571 0.1.0
k8s.gcr.io/metrics-server/metrics-server v0.6.0 true v0.6.1 v0.6.0 v0.6.1
us.gcr.io/k8s-artifacts-prod/ingress-nginx/controller v0.34.1 true v1.3.0 v0.34.1 v0.34.1
quay.io/prometheus/prometheus v2.32.1 true v2.37.0 v2.37.0 v2.32.1
k8s.gcr.io/autoscaling/vpa-recommender 0.10.0 true 0.11.0 0.10.0 0.10.0
k8s.gcr.io/autoscaling/vpa-updater 0.10.0 true 0.11.0 0.10.0 0.10.0
docker.io/datawire/quote 0.4.1 true 0.5.0 0.4.1 0.4.1
k8s.gcr.io/coredns/coredns v1.8.6 true v1.9.3 v1.9.3 v1.8.6
k8s.gcr.io/etcd 3.5.3-0 true 3.5.4-0 3.5.3-0 3.5.3-0
k8s.gcr.io/kube-apiserver v1.24.1 true v1.24.3 v1.24.3 v1.24.3
k8s.gcr.io/kube-controller-manager v1.24.1 true v1.24.3 v1.24.3 v1.24.3
k8s.gcr.io/kube-proxy v1.24.1 true v1.24.3 v1.24.3 v1.24.3
k8s.gcr.io/kube-scheduler v1.24.1 true v1.24.3 v1.24.3 v1.24.3Although having the most current Helm chart and container versions is ideal, there are many reasons engineering teams choose to pin a specific version. Perhaps the team isn’t ready for an upgrade because the newest version introduces breaking changes. Nova can accommodate this by allowing you to declare your own set of versions, rather than using the latest available version for comparison. You may set desired-versions via the command-line or via file.
For example, in our Nova scan above, we found that we are currently running version 26.1.0 of the kube-prometheus-stack Helm chart, even though the latest version is 37.3.0. In this scenario, our engineering team is required to use the earlier version.
To set the desired version as 26.1.0, run the command:
nova find --desired-versions='kube-prometheus-stack=26.1.0'If you would prefer to set the desired version in a file, generate a config file with the command:
nova generate-config --config=nova.yamlIn the Nova configuration file, add kube-prometheus-stack=26.1.0 to the list of desired versions, like so:
containers: false
context: ""
desired-versions: {
kube-prometheus-stack: 26.1.0
}
include-all: false
output-file: ""
poll-artifacthub: true
show-errored-containers: false
show-non-semver: false
show-old: false
url: []
wide: falseIf you have multiple clusters and want to apply the benefits of Nova at scale, Fairwinds offers a platform called Insights. Users can centrally manage Nova across clusters consistently to make sure that your Helm release versions and containers are up-to-date. Nova is also flexible enough to incorporate into a continuous integration system.
Interested in using Fairwinds Insights? It’s available for free! Learn more here.
