Skip to content
This repository has been archived by the owner on Mar 12, 2024. It is now read-only.

Commit

Permalink
Update docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@luborpetr
luborpetr committed Oct 12, 2020
1 parent 5ee5887 commit 4cacadc
Showing 1 changed file with 82 additions and 2 deletions.
84 changes: 82 additions & 2 deletions docs/markdown/Experiment_Modules/kubernetes_experiments.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Environment variables that control how the Chaos Engine interacts with Kubernete
| kubernetes | The presence of this key enables Kubernetes module. | N/A | Yes |
| kubernetes.url | Kubernetes server API url e.g. | None | Yes |
| kubernetes.token | JWT token assigned to service account. You can get the value by running `kubectl describe secret name_of_your_secret` | None | Yes |
| kubernetes.namespace | K8S namespace where experiments should be performed | `default` | Yes |
| kubernetes.namespaces | Comma-separated list of namespaces where experiments should be performed | `default` | Yes |
| kubernetes.debug | Enables debug log of Kubernetes java client | `false` | No |
| kubernetes.validateSSL | Enables validation of sever side certificates | `false` | No |

Expand All @@ -36,6 +36,7 @@ A service account with a role binding needs to be created in order to access spe

Please replace the {{namespace}} fillers with the appropriate values and apply to your cluster.

### Experiments on single namespace
**chaos-engine-service-account.yaml**

```yaml
Expand Down Expand Up @@ -110,7 +111,86 @@ subjects:
namespace: {{namespace}}
```
You can retrieve the token by running `kubectl describe secret chaos-engine -n {{namespace}}`
You can retrieve the token by running `kubectl describe secret chaos-engine -n {{namespace}}`

### Experiments on multiple namespaces

When your experiment targets are located in multiple namespaces,
you need to bind roles allowing access to appropriate namespace to your service account.
Or you can simply create a cluster role and binding by running below yaml.


```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: chaos-engine-crole
rules:
- apiGroups:
- apps
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/status
- replicasets
- replicasets/status
- statefulsets
- statefulsets/status
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- apiGroups:
- ""
resources:
- pods
- pods/status
- replicationcontrollers/status
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: chaos-engine-rolebinding
roleRef:
kind: ClusterRole
name: chaos-engine-crole
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: chaos-engine-serviceaccount
namespace: {{namespace}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: chaos-engine-serviceaccount
namespace: {{namespace}}
```


### Verify Service Account Setting

Expand Down

0 comments on commit 4cacadc

Please sign in to comment.