Chaos agent installation access requirements
This topic lists the Kubernetes chaos agent installation access requirement for discovery and all types of faults.
| Resource | Modes (Scope of chaos agent) | Permissions required | Use |
|---|---|---|---|
| pod | Namespaced, Cluster | [create, delete, get, list, patch, update, deletecollection] | Manage transient pods created to perform chaos. |
| events | Namespaced, Cluster | [create, get, list, patch, update] | Generate and manage chaos events. |
| secrets | Namespaced, Cluster | [get, update, patch, create] | To read authentication information (cluster ID and access-keys), configuration tunables. |
| ConfigMaps | Namespaced, Cluster | [get, list, create, patch, update, watch, delete] | Configuration tunables and leader-election. |
| pods/log | Namespaced, Cluster | [get, list, watch] | Track execution logs. |
| jobs | Namespaced, Cluster | [create, delete, get, list, deletecollection] | Chaos experiments are launched as Kubernetes jobs. |
| pods/exec, pods/eviction | Namespaced, Cluster | [get, list, create] |
|
| services | Namespaced, Cluster | [get, list] |
|
| deployments, statefulsets | Namespaced, Cluster | [get, list, patch, update, delete] | For asset discovery and pod-autoscaler fault. |
| replicasets, replicationcontrollers, daemonsets, deploymentconfigs, rollouts | Namespaced, Cluster | [get, list] | For asset discovery of available resources on the cluster so that you can target them with chaos experiments. |
| networkpolicies | Namespaced, Cluster | [create, delete, list, get] | Cause chaos through network partitions. |
| nodes | Cluster-scoped only | [patch, get, list, update, watch] | Filter or isolate chaos targets to specific nodes. Subject nodes to chaos (only in cluster-scope). |
| namespaces | Cluster-scoped only | [get, list, watch] | For asset discovery to list the namespaces(only in cluster-scope). |
| chaosengines, chaosexperiments, chaosresults, chaosschedules, chaosengines/finalizers | Namespaced, Cluster | [create, delete, get, list, patch, update] | Lifecycle management of chaos custom resources in CE. |
| customresourcedefinitions | Cluster-scoped only | [create, delete, get, list, patch, update] | Lifecycle management of chaos custom resources in CE. |
| leases | Namespaced, Cluster | [get, create, list, update, delete] | Enable high availability of chaos custom controllers via leader elections. |
| workflows, workflows/finalizers, workflowtemplates, workflowtemplates/finalizers cronworkflows, cronworkflows/finalizers, | Namespaced, Cluster | [create, delete, get, list, patch, update, watch] | Lifecycle management of chaos custom resources in workflow controller. |
| clusterworkflowtemplates, clusterworkflowtemplates/finalizers | Cluster-scoped only | [create, delete, get, list, patch, update, watch] | Lifecycle management of chaos custom resources in workflow controller. |
| workflowtasksets, workflowartifactgctasks, workflowtaskresults | Namespaced, Cluster | [get, list, watch, deletecollection] | Lifecycle management of chaos custom resources in workflow controller. |