This section outlines the permissions required for installing the Windows infrastructure and executing chaos experiments. These requirements include administrator privileges, file system access, and managing security settings. Understanding and meeting these requirements are crucial for the successful execution of chaos experiments on Windows VMs.
| Chaos agent deployment model | Native Chaos Agent on Each VM (systemd service within target Windows machine) | Centralized chaos agent on Kubernetes (leverage VMware tools to inject chaos processes inside the guest VM) |
|---|
| Connectivity requirements from agent | - Outbound over port 443 to Harness from VM.
- Outbound to application health endpoints (ones which will be used for resilience validation) from VM
| - Outbound over port 443 to Harness from Kubernetes cluster
- Outbound over 443 to vCenter from Kubernetes cluster
- Outbound to application health endpoints (ones which will be used for resilience validation) from kubernetes cluster.
|
|---|
| Connectivity requirements from VM/cluster/app | - Application and chaos agent co-exist on the same VM.
| - Inbound over port 443 on ESX Host (from Kubernetes chaos agent).
|
|---|
| Access requirements for agent install | - Install agent as an administrator user.
| - Install agent as a cluster-admin or as a user mapped to cluster role with these permissions.
|
|---|
| Access requirements for basic chaos experiments | - Run experiments with non-administrator user.
| - vCenter user should be mapped to a predefined chaos role
- VMware tools should be setup on the VM
- Remote command injection can be performed with non-administrator user
|
|---|
| Access requirements for advanced chaos experiments | - Run experiments with administrator user
| - vCenter user should be mapped to a predefined chaos role
- VMware tools should be setup on the VM
- Remote command injection can be performed with administrator user
|
|---|
| Supported chaos faults | | |
|---|
| Component | Requirement | Description |
|---|
| Installation Script | Service management | The script that creates and manages a Windows service, which requires administrator privileges to interact with the Service Control Manager (SCM). |
| File system access | The script that creates directories, downloads and extracts files, and modifies the system's PATH environment variable, requiring elevated permissions. |
| Security and credential management | The script that handles sensitive information, such as administrator user credentials and security configurations, requiring elevated privileges. |
| Administrator privileges | Overall, administrator privileges that are essential for service management, file system access, network configuration, and security management. |
| Windows CPU Stress Experiment | Administrator privileges | The experiment that requires Administrator privileges to access and manipulate system CPU resources effectively. |
| WMI access | The experiment that accesses system information using Windows Management Instrumentation (WMI), requiring appropriate permissions. |
| PowerShell execution policy | The system's PowerShell execution policy which should be set to RemoteSigned to allow the execution of locally created scripts. |
| Windows Memory Stress Experiment | Administrator privileges | The experiment that requires Administrator privileges to access and modify system resources, including executing the Testlimit executable for memory consumption. |
| WMI access | The experiment that accesses system information using Windows Management Instrumentation (WMI), requiring appropriate permissions. |
| Permission to run executables | The experiment that uses the Testlimit executable to consume memory, requiring necessary permissions to execute the tool. |
| PowerShell execution policy | The system's PowerShell execution policy which should be set to RemoteSigned to allow the execution of locally created scripts. |
| Windows blackhole chaos experiment | Create and manage firewall rules | The experiment that uses New-NetFirewallRule and Remove-NetFirewallRule cmdlets to add and remove firewall rules, requiring administrator privileges. |
| Resolve DNS names | The experiment that uses Resolve-DnsName to resolve domain names to IP addresses, which may require administrator privileges. |
| Administrator privileges | Administrator privileges that are needed to ensure that the script can perform its intended functions of creating and managing firewall rules and resolving DNS names. |
| PowerShell execution policy | The system's PowerShell execution policy which should be set to "RemoteSigned" to allow the execution of locally created scripts. |