Fairwinds | Blog

K8s Tutorial: Find Outdated Helm Charts with Nova

Written by Andy Suderman | Jul 26, 2022 4:08:13 PM

Making sure you have the most recent version of software you install in a Kubernetes cluster helps you avoid known security issues and have access to the most up-to-date project features. If you use Helm to manage your releases, Fairwinds Nova can help you find outdated or deprecated Helm charts running in your cluster. You can run Nova from your command line, or integrate it into your continuous integration process, and as of version 3.1.0, you can scan containers

How to Install

Install Nova using asdf, Homebrew, from the source code or from GitHub Releases. The comprehensive set of installation instructions is in the Nova Docs. In this article we demonstrate how to install Nova from the GitHub Releases page. 

First, visit the releases page and find the release that is right for your environment. For example, on a Linux machine with an amd64 processor, you will want to download the release for Linux amd64.

Run the following command to download and install Nova: 

curl -L "https://github.com/FairwindsOps/nova/releases/download/3.2.0/nova_3.2.0_linux_amd64.tar.gz" > nova.tar.gz
tar -xvf nova.tar.gz
sudo mv nova /usr/local/bin/

Next, check that the installation worked by running the help command:

nova help

You should see a list of Nova commands and options, like this: 

fairwinds tool to check for updated chart releases.

Usage:
  nova [flags]
  nova [command]

Available Commands:
  completion      Generate the autocompletion script for the specified shell
  find            Find out-of-date deployed releases.
  generate-config Generate a config file.
  help            Help about any command
  version         Prints the current version.

Flags:
      --alsologtostderr                   log to standard error as well as files (default true)
      --config string                     Config file to use. If empty, flags will be used instead
      --context string                    A context to use in the kubeconfig.
  -d, --desired-versions stringToString   A map of chart=override_version to override the helm repository when checking. (default [])
  -h, --help                              help for nova
  -a, --include-all                       Show all charts even if no latest version is found.
      --logtostderr                       log to standard error instead of files (default true)
      --output-file string                Path on local filesystem to write file output to
      --poll-artifacthub                  When true, polls artifacthub to match against helm releases in the cluster. If false, you must provide a url list via --url/-u. Default is true. (default true)
      --show-old                          Only show charts that are not on the latest version
  -u, --url strings                       URL for a helm chart repo
  -v, --v Level                           number for the log level verbosity
      --wide                              Output chart name and namespace

Use "nova [command] --help" for more information about a command.

Audit Helm Chart Versions with Nova

The fastest way to run Nova is from your command line. To scan the Helm charts installed in the Kubernetes cluster you are currently authenticated to, run the command: 

nova find

You will see a list of your Helm releases, the version of the Helm chart that is installed in your cluster, the latest available version and whether or not your version is out of date.

Release Name             Installed    Latest    Old      Deprecated
============             =========    ======    ===      ==========
kube-prometheus-stack    26.1.0       37.3.0    true     false
metrics-server           3.8.0        3.8.2     true     false
vpa                      1.4.0        1.4.0     false    false

For more information about these Helm releases, including which namespace they are running in, invoke the command: 

nova find –wide
Release Name             Chart Name               Namespace    HelmVersion    Installed    Latest    Old      Deprecated
============             ==========               =========    ===========    =========    ======    ===      ==========
kube-prometheus-stack    kube-prometheus-stack    demo         3              26.1.0       37.3.0    true     false
metrics-server           metrics-server           demo         3              3.8.0        3.8.2     true     false
vpa                      vpa                      demo         3              1.4.0        1.4.0     false    false

To update your Helm release, copy the latest version number of the chart, and run the `helm upgrade` command. In our example, the metrics-server chart version is out of date, so to update it we would run:

helm upgrade metrics-server metrics-server/metrics-server --version 3.8.2

If a chart is deprecated, you will see this:

Release Name    Installed    Latest    Old      Deprecated
============    =========    ======    ===      ==========
kubewatch       3.3.4        3.3.4     false    true

A deprecated chart should receive special attention because it means that the project is no longer maintained and there will be no other updates. The longer deprecated software is deployed, the more brittle and attack-prone it becomes. Popular projects that are deprecated often change names or Helm repos URLs, and the documentation for the deprecated chart will point you to the new project, or offer alternatives that you should consider. 

Note: At the time of this article, Nova has an interesting issue with deprecated charts and artifacthub.io. In order to generate the output shown above, we had to disable artifacthub.io scanning and poing Nova directly at the chart repository for kubewatch. The command used to do this is:

nova find --poll-artifacthub=false --url=https://charts.bitnami.com/bitnami

The issue with artifacthub.io has to do with the fact that we don't know the actual source repository that an installed Helm release came from. This is currently being actively discussed as a modification to Helm in this Helm improvement proposal (HIP). Additionally, we are tracking the issue here in Github.

Audit Container Versions with Nova

Recently, Nova added a new container scanning feature. See this in action by running the `nova find` command with the `--containers` flag: 

nova find --containers
Container Name                                            Current Version         Old     Latest     Latest Minor            Latest Patch
==============                                            ===============         ===     ======     =============           =============
quay.io/prometheus/alertmanager                           v0.23.0                 true    v0.24.0    v0.23.0                 v0.23.0
quay.io/prometheus-operator/prometheus-config-reloader    v0.53.1                 true    v0.58.0    v0.53.1                 v0.53.1
quay.io/kiwigrid/k8s-sidecar                              1.14.2                  true    1.19.2     1.19.2                  1.14.3
grafana/grafana                                           8.3.3                   true    9.0.4      8.5.9                   8.3.10
k8s.gcr.io/kube-state-metrics/kube-state-metrics          v2.3.0                  true    v2.5.0     v2.5.0                  v2.3.0
quay.io/prometheus-operator/prometheus-operator           v0.53.1                 true    v0.58.0    v0.53.1                 v0.53.1
docker.io/bitnami/kubewatch                               0.1.0-debian-10-r571    true    0.1.0      0.1.0-debian-10-r571    0.1.0
k8s.gcr.io/metrics-server/metrics-server                  v0.6.0                  true    v0.6.1     v0.6.0                  v0.6.1
us.gcr.io/k8s-artifacts-prod/ingress-nginx/controller     v0.34.1                 true    v1.3.0     v0.34.1                 v0.34.1
quay.io/prometheus/prometheus                             v2.32.1                 true    v2.37.0    v2.37.0                 v2.32.1
k8s.gcr.io/autoscaling/vpa-recommender                    0.10.0                  true    0.11.0     0.10.0                  0.10.0
k8s.gcr.io/autoscaling/vpa-updater                        0.10.0                  true    0.11.0     0.10.0                  0.10.0
docker.io/datawire/quote                                  0.4.1                   true    0.5.0      0.4.1                   0.4.1
k8s.gcr.io/coredns/coredns                                v1.8.6                  true    v1.9.3     v1.9.3                  v1.8.6
k8s.gcr.io/etcd                                           3.5.3-0                 true    3.5.4-0    3.5.3-0                 3.5.3-0
k8s.gcr.io/kube-apiserver                                 v1.24.1                 true    v1.24.3    v1.24.3                 v1.24.3
k8s.gcr.io/kube-controller-manager                        v1.24.1                 true    v1.24.3    v1.24.3                 v1.24.3
k8s.gcr.io/kube-proxy                                     v1.24.1                 true    v1.24.3    v1.24.3                 v1.24.3
k8s.gcr.io/kube-scheduler                                 v1.24.1                 true    v1.24.3    v1.24.3                 v1.24.3

Customizing Nova 

Although having the most current Helm chart and container versions is ideal, there are many reasons engineering teams choose to pin a specific version. Perhaps the team isn’t ready for an upgrade because the newest version introduces breaking changes. Nova can accommodate this by allowing you to declare your own set of versions, rather than using the latest available version for comparison. You may set desired-versions via the command-line or via file.

For example, in our Nova scan above, we found that we are currently running version 26.1.0 of the kube-prometheus-stack Helm chart, even though the latest version is 37.3.0. In this scenario, our engineering team is required to use the earlier version.

To set the desired version as 26.1.0, run the command:

nova find --desired-versions='kube-prometheus-stack=26.1.0'

If you would prefer to set the desired version in a file, generate a config file with the command: 

nova generate-config --config=nova.yaml

In the Nova configuration file, add kube-prometheus-stack=26.1.0 to the list of desired versions, like so: 

containers: false
context: ""
desired-versions: { 
  kube-prometheus-stack: 26.1.0
}
include-all: false
output-file: ""
poll-artifacthub: true
show-errored-containers: false
show-non-semver: false
show-old: false
url: []
wide: false

Apply the Benefits of Nova at Scale

If you have multiple clusters and want to apply the benefits of Nova at scale, Fairwinds offers a platform called Insights. Users can centrally manage Nova across clusters consistently to make sure that your Helm release versions and containers are up-to-date. Nova is also flexible enough to incorporate into a continuous integration system. 

Interested in using Fairwinds Insights? It’s available for free! Learn more here.

Resources