ECS network restrict
ECS network restrict allows you to restrict the network connectivity of containers in an Amazon ECS (Elastic Container Service) task by modifying the container security rules. This experiment is applicable to both serverless ECS tasks and those backed by EC2 instances. These experiments generally involve task-level chaos or access restrictions without causing direct in-container or in-VM disruptions.
Use cases
ECS network restrict:
- Tests the resilience and performance of your ECS tasks when network access is restricted.
- Validates the behavior of your application in a restricted networking environment.
- Restricts the network connectivity of containers by modifying the container security rules associated with the ECS task.
- Simulates scenarios where network access is restricted, which may impact the behavior of your application or infrastructure. For example, you can restrict outgoing internet access from containers to test how your application handles restricted networking environments or to validate the behavior of your application when certain network resources are not accessible.
- Validates the behavior of your application and infrastructure during simulated network restrictions, such as:
- Testing the resilience of your system when network access is restricted, including verifying if the containers can communicate with each other or with external resources when certain network restrictions are in place.
- Validating the performance and availability of your application in a restricted networking environment, including checking if the application can continue to function properly with limited network access.
Prerequisites
- Kubernetes >= 1.17
- ECS cluster running with the desired tasks and containers and familiarity with ECS service update and deployment concepts.
- Create a Kubernetes secret that has the AWS access configuration(key) in the
CHAOS_NAMESPACE. Below is a sample secret file:
apiVersion: v1
kind: Secret
metadata:
name: cloud-secret
type: Opaque
stringData:
cloud_config.yml: |-
# Add the cloud AWS credentials respectively
[default]
aws_access_key_id = XXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXX
HCE recommends that you use the same secret name, that is, cloud-secret. Otherwise, you will need to update the AWS_SHARED_CREDENTIALS_FILE environment variable in the fault template with the new secret name and you won't be able to use the default health check probes.
Below is an example AWS policy to execute the fault.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeServices"
],
"Resource": "*"
}
]
}
- The ECS containers should be in a healthy state before and after introducing chaos.
- Refer to AWS named profile for chaos to know how to use a different profile for AWS faults. Refer to the common attributes and AWS-specific tunables to tune the common tunables for all faults and AWS-specific tunables.
- Refer to the superset permission/policy to execute all AWS faults.
Mandatory tunables
| Tunable | Description | Notes |
|---|---|---|
| CLUSTER_NAME | Name of the target ECS cluster. | For example, cluster-1. |
| SERVICE_NAMES | Name of the ECS service under chaos. | For example, nginx-svc. |
| REGION | Region name of the target ECS cluster | For example, us-east-1. |
Optional tunables
| Tunable | Description | Notes |
|---|---|---|
| TOTAL_CHAOS_DURATION | Duration that you specify, through which chaos is injected into the target resource (in seconds). | Default: 30s. For more information, go to duration of the chaos. |
| CHAOS_INTERVAL | Interval between successive instance terminations (in seconds). | Default. 30s. For more information, go to chaos interval. |
| IP_ADDRESS | Provide the IP address/CIRD range. If no IP/CIRD range is provided then it will remove all the rules from the security group for a specified chaos interval. | Default: ''. For more information, go to IP address. |
| RULE_TYPE | Provide the rule type either outbound or inbound rule | Default: outbound. For more information, go to rule type. |
| RULE_MODE | Provide the mode to modify, add means add a new rule and remove means removing the existing rule. To remove a rule please provide the exact rule details. | Defaults: remove. For more information, go to rule mode. |
| PROTOCOL | Provide the protocol of the rule. | Default: tcp. For more information, go to protocol. |
| FROM_PORT | Provide the from port of the rule. | Default: 80. For more information, go to from port. |
| TO_PORT | Provide the to port of the rule. | Default: 80. For more information, go to to port. |
| RAMP_TIME | Period to wait before and after injecting chaos (in seconds). | For example, 30 s. For more information, go to ramp time. |
IP address or CIDR range
IP address or the CIDR range. Tune it by using the IP_ADDRESS environment variable. If no IP address or CIDR range is provided, the fault detaches all the available rules from inbound or outbound traffic from the target security group.
The following YAML snippet illustrates the use of this environment variable:
# Set container ip-address for the target ECS task
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: aws-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: ecs-network-restrict
spec:
components:
env:
- name: IP_ADDRESS
value: ''
- name: REGION
value: 'us-east-2'
- name: TOTAL_CHAOS_DURATION
VALUE: '60'
Rule type
Rule type associated with inbound or outbound traffic from the target security group. Tune it by using the RULE_TYPE environment variable.
The following YAML snippet illustrates the use of this environment variable:
# Set container rule-type for the target ECS task
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: aws-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: ecs-network-restrict
spec:
components:
env:
- name: RULE_TYPE
value: 'outbound'
- name: REGION
value: 'us-east-2'
- name: TOTAL_CHAOS_DURATION
VALUE: '60'
Rule mode
Outbound traffic rule associated with the target security group. Tune it by using the RULE_MODE environment variable.
The following YAML snippet illustrates the use of this environment variable:
# Set container rule-mode for the target ECS task
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: aws-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: ecs-network-restrict
spec:
components:
env:
- name: RULE_MODE
value: 'remove'
- name: REGION
value: 'us-east-2'
- name: TOTAL_CHAOS_DURATION
VALUE: '60'
Protocol
Network protocol associated with the rule. Tune it by using the PROTOCOL environment variable.
The following YAML snippet illustrates the use of this environment variable:
# Set container protocol for the target ECS task
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: aws-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: ecs-network-restrict
spec:
components:
env:
- name: PROTOCOL
value: 'tcp'
- name: REGION
value: 'us-east-2'
- name: TOTAL_CHAOS_DURATION
VALUE: '60'
From port and to port
The port from which traffic arrives (host) and the port to which the traffic is routed (destination). Tune it by using the FROM_PORT and TO_PORT environment variable.
The following YAML snippet illustrates the use of this environment variable:
# Set container protocol for the target ECS task
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: aws-nginx
spec:
engineState: "active"
annotationCheck: "false"
chaosServiceAccount: litmus-admin
experiments:
- name: ecs-network-restrict
spec:
components:
env:
- name: FROM_PORT
value: '80'
- name: TO_PORT
value: '80'
- name: REGION
value: 'us-east-2'
- name: TOTAL_CHAOS_DURATION
VALUE: '60'