Skip to main content

Fault-wise permissions

This topic describes the prerequisites and fault-wise permissions required to execute Kubernetes-based faults.

The prerequisites can be categorized into two groups:

  1. Common prerequisites
  2. Fault-type specific prerequisites

Common prerequisites

  • Ensure that the Kubernetes chaos infrastructure (or agent) is installed and all the components are healthy and in running state.
  • There should be outbound connectivity from the cluster pods to the Harness control plane.
  • Connectivity should be established between the cluster pods to any endpoint that needs to be queried as a part of the probe execution (or resilience validation).
  • Appropriate RBAC should be set up on the Kubernetes cluster, so that the service accounts used by the agent components are sufficient for the discovery and chaos injection. This is based on:
    • The scope of execution (cluster-wide or namespaced).
    • The nature of faults planned to be executed.

Fault-type specific prerequisites

Certain fault categories have unique requirements, from a permissions and set up (or configuration) perspective.

Pod network/Stress/API/IO

These faults require identifying the target container PID and remote execution of certain commands (or processes) within the target containers' network, PID, and mount namespace. These actions require the transient chaos pods to run with:

  • Root user;
  • Container runtime socket mounted;
  • Privilege escalation;
  • Linux capabilities like NET_ADMIN, SYS_ADMIN;
  • Mapping to hostpid.

HCE recommends you create a dedicated pod security policy (PSP) or equivalent that you can map to the transient chaos pods or service account.

Service load

Internally, the load fault leverages Locust (support for other tools is a part of the roadmap). The internal load engine uses a Python script to define the API calls that should be part of the load profile. The script is embedded within a ConfigMap that is referenced by the chaos pods during execution. Go to locust prerequisites for detailed steps

Cloud-based targets

Create an IAM role on the cloud account that is mapped to the appropriate policy. Your (cloud account user) credentials must be embedded with a Kubernetes secret before executing the fault. You can create a superset AWS policy that allows executing all the fault types supported by HCE.

tip
  • You can authenticate cloud API requests made by the chaos pods. If the Kubernetes chaos infrastructure (or agent) is set up on EKS or GKE clusters, you can set up IRSA or workload identity respectively, instead of using Kubernetes secrets.
  • You can configure ChaosGuard rules to limit the scope of the Harness chaos platform for faults executed, clusters chosen, application workload targeted and chaos service account leveraged.
  • The Service Load chaos is target-platform agnostic, that is, it can generate load against service endpoints regardless of where they are hosted.

Permissions required for pod-level faults

This table lists the permissions required to execute Kubernetes fault (node-level and pod-level).

tip
  • NA refers to Not Applicable.
  • NA* indicates that the permissions are not required for pod-level experiments by default, but if you want to target the pods on specific node, then the permissions will be required.
  • Starred pod-level experiments indicate that they don't require helper pods for execution.

Read the permission as: "You can create pod delete fault in Namespaced and cluster mode, and on the pod entity, it requires permissions to [create, delete, get, list, patch, deletecollection, update] the pod.

Pod-level faults Mode (Scopes of chaos agent) Permissions required
Pod delete * Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Container kill Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Disk fill Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod API block Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod API latency Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod API modify body Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod API modify header Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod API status code Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod autoscaler * Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list, patch, update]
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod CPU hog exec * Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod CPU hog Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod DNS error Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod DNS spoof Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod HTTP latency Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod HTTP modify body Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod HTTP modify header Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod HTTP reset peer Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod HTTP status code Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod IO attribute override Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod IO error Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod IO latency Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod IO stress Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod memory hog exec * Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod memory hog Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod network corruption Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod network duplication Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod network latency Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod network loss Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod network partition * Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = [create, delete, get, list]
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Pod network rate limit Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Time chaos Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*

Permissions required for node-level faults

Node-level faults Mode (Scopes of chaos agent) Permissions required
Kubelet service kill Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = [get, list]
Node CPU hog Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = [get, list]
Node drain Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = [get, list, create]
  • nodes = [get, list, patch, update]
Node IO stress Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = [get, list]
Node memory hog Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = [get, list]
Node network latency Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = create, delete, get, list, deletecollection
  • chaosEngines, chaosExperiments, chaosResults = create, delete, get, list, patch, update
  • secrets = NA
  • pod eviction = NA
  • nodes = [get, list]
Node network loss Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = [get, list]
Node restart Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = [get, list]
  • pod eviction = NA
  • nodes = [get, list]
Node taint Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = [get, list, create]
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = [get, list, create]
  • nodes = [get, list, patch, update]
Kubelet density Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = [get, list]
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = NA
  • replicasets, daemonsets = NA
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = [get, list]
  • pod eviction = NA
  • nodes = [get, list]

Permissions required for Spring boot faults

Spring boot Mode (Scopes of chaos agent) Permissions required
Spring boot app kill Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Spring boot CPU stress Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Spring boot memory stress Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Spring boot latency Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Spring boot exception Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*
Spring boot fault Namespaced, Cluster
  • pod = [create, delete, get, list, patch, deletecollection, update]
  • events = [create, get, list, patch, update]
  • configMaps = NA
  • pods/log = [get, list, watch]
  • pods/exec = NA
  • deployments, statefulsets = [get, list]
  • replicasets, daemonsets = [get, list]
  • networkpolicies = NA
  • jobs = [create, delete, get, list, deletecollection]
  • chaosEngines, chaosExperiments, chaosResults = [create, delete, get, list, patch, update]
  • secrets = NA
  • pod eviction = NA
  • nodes = NA*