Azure web app access restrict
Azure web app access restrict causes a split brain condition by restricting the access to an application service instance.
- This fault checks if the requests have been serviced and recovery is automated after the restrictions have been lifted.
- It checks the performance of the application (or process) running on the instance.
Usage
View fault usage
Prerequisites
- Kubernetes > 1.16
- Adequate Azure access to web apps
- Use Azure file-based authentication to connect to the instance using Azure GO SDK. To generate the auth file, run
az ad sp create-for-rbac --sdk-auth > azure.auth
Azure CLI command. - Create a Kubernetes secret that has the auth file created in the previous step in the
CHAOS_NAMESPACE
. Below is a sample secret file:
apiVersion: v1
kind: Secret
metadata:
name: cloud-secret
type: Opaque
stringData:
azure.auth: |-
{
"clientId": "XXXXXXXXX",
"clientSecret": "XXXXXXXXX",
"subscriptionId": "XXXXXXXXX",
"tenantId": "XXXXXXXXX",
"activeDirectoryEndpointUrl": "XXXXXXXXX",
"resourceManagerEndpointUrl": "XXXXXXXXX",
"activeDirectoryGraphResourceId": "XXXXXXXXX",
"sqlManagementEndpointUrl": "XXXXXXXXX",
"galleryEndpointUrl": "XXXXXXXXX",
"managementEndpointUrl": "XXXXXXXXX"
}
- If you change the secret key name (from
azure.auth
), ensure that you update theAZURE_AUTH_LOCATION
environment variable in the chaos experiment with the new name.
Default validations
Azure target web application should be in the running state.
Fault tunables
Fault tunables
Mandatory Fields
Variables | Description | Notes |
---|---|---|
AZURE_WEB_APP_NAMES | Name of Athe zure web app services to target. | Comma-separated names of the web applications. |
RESOURCE_GROUP | The name of the resource group for the target web app | For example, TeamDevops . |
Optional Fields
Variables | Description | Notes |
---|---|---|
RULE_NAME | Rule name that is added as a part of the chaos injection. | If this is not provided, the fault uses the default name, i.e. litmus-experiment-rule . |
IP_ADDRESS_BLOCK | IP address (or CIDR range) for the rule. | Defaults to 0.0.0.0/0 . |
ACTION | Action you wish to perfrom with the rule. | Defaults to deny. Supports allow action as well. |
PRIORITY | Priority of the rule, wherein lower the number, higher is the priority and vice-versa. | Defaults to 300. For more information, refer here. |
TOTAL_CHAOS_DURATION | Duration that you specify, through which chaos is injected into the target resource (in seconds). | Defaults to 30s. |
CHAOS_INTERVAL | Time interval between two successive instance power offs. | Defaults to 30s. |
SEQUENCE | Sequence of chaos execution for multiple instances. | Defaults to parallel. Supports serial sequence as well. |
RAMP_TIME | Period to wait before and after injecting chaos (in seconds). | For example, 30s. |
Fault examples
Common fault tunables
Refer to the common attributes to tune the common tunables for all the experiments.
Web app access restrict by name
It contains a comma-separated list of web application names that will be subject to chaos. You can tune it using the AZURE_WEB_APP_NAMES
environment variable.
Use the following example to tune it:
# access restrict on target web app by their names
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: engine-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: azure-web-access-restrict
spec:
components:
env:
# comma separated names of the target web apps
- name: AZURE_WEB_APP_NAMES
value: 'webApp-01,webApp-02'
# name of the resource group
- name: RESOURCE_GROUP
value: 'chaos-rg'
- name: TOTAL_CHAOS_DURATION
VALUE: '60'
Access restrict for a certain CIDR range
It contains a CIDR range that is used in the rule. You can tune it using the IP_ADDRESS_BLOCK
environment variable.
Use the following example to tune it:
# restrict the web app for a certain
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: engine-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: azure-web-access-restrict
spec:
components:
env:
# provide the value of ip address/CIDR Range
- name: IP_ADDRESS_BLOCK
value: '0.0.0.0/0'
# name of the resource group
- name: RESOURCE_GROUP
value: 'chaos-rg'
- name: TOTAL_CHAOS_DURATION
VALUE: '60'
Access restrict with action
It helps you allow or deny the traffic for the rule provided. You can tune it using the ACTION
environment variable. By default, it is set to deny.
Use the following example to tune it:
# defines the action for the given network rule
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: engine-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: azure-web-access-restrict
spec:
components:
env:
# Provide the action for a rule
- name: ACTION
value: 'deny'
# duration for the chaos execution
- name: TOTAL_CHAOS_DURATION
VALUE: '60'
Access restrict with priority
It helps define the priority of the network rule that is created by the fault. You can tune it using the PRIORITY
environment variable. By default, it is set to 300.
Use the following example to tune it:
# defines the priority for the network rule
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: engine-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: azure-web-access-restrict
spec:
components:
env:
# Provide the priority for a rule
- name: PRIORITY
value: '300'
# duration for the chaos execution
- name: TOTAL_CHAOS_DURATION
VALUE: '60'
Access restrict with custom rule name
It defines a custom rule name for the chaos. This rule is added to the chaos for a specific duration. You can tune it using the RULE_NAME
environment variable.
Use the following example to tune it:
# defines the rule name for the network rule created
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: engine-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: azure-web-access-restrict
spec:
components:
env:
# Provide the name of the rule
- name: RULE_NAME
value: 'chaos-rule'