Pod DNS spoof
Pod DNS spoof is a Kubernetes pod-level chaos fault that injects chaos into pods to mimic DNS resolution. This fault resolves DNS target host names or domains to other IPs as specified in the SPOOF_MAP
environment variable in the chaos engine configuration.
This video walks through the execution of the pod IO latency experiment.
Use cases
Pod DNS spoof:
- Determines the resilience of an application when host names are resolved incorrectly.
- Determines how quickly an application can resolve the host names and recover from the failure.
- Simulates custom responses from a spoofed upstream service.
Permissions required
Below is a sample Kubernetes role that defines the permissions required to execute the fault.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: hce
name: pod-dns-spoof
spec:
definition:
scope: Cluster # Supports "Namespaced" mode too
permissions:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "get", "list", "patch", "deletecollection", "update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "get", "list", "patch", "update"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["deployments, statefulsets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["replicasets, daemonsets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["chaosEngines", "chaosExperiments", "chaosResults"]
verbs: ["create", "delete", "get", "list", "patch", "update"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create", "delete", "get", "list", "deletecollection"]
Prerequisites
- Kubernetes > 1.16
- The application pods should be in the running state before and after injecting chaos.
Optional tunables
Tunable | Description | Notes |
---|---|---|
TARGET_CONTAINER | Name of the container subject to DNS spoof. | None. For more information, go to target specific container |
NODE_LABEL | Node label used to filter the target node if TARGET_NODE environment variable is not set. | It is mutually exclusive with the TARGET_NODE environment variable. If both are provided, the fault uses TARGET_NODE . For more information, go to node label. |
TOTAL_CHAOS_DURATION | Duration for which to insert chaos (in seconds). | Default: 60 s. For more information, go to duration of the chaos |
SPOOF_MAP | Map of the target host names. For example, '{"abc.com":"spoofabc.com"}' where key is the host name to be spoofed and value is the host name to which the key is spoofed or redirected to. | If not provided, no host names or domains are spoofed. |
PODS_AFFECTED_PERC | Percentage of total pods to target. Provide numeric values. | Default: 0 (corresponds to 1 replica). For more information, go to pod affected percentage |
CONTAINER_RUNTIME | Container runtime interface for the cluster. | Default: containerd. Supports values: docker, containerd and crio. For more information, go to container runtime |
SOCKET_PATH | Path of the docker socket file. | Default: /run/containerd/containerd.sock . For more information, go to socket path |
RAMP_TIME | Period to wait before and after injecting chaos (in seconds). | For example, 30 s. For more information, go to ramp time |
LIB_IMAGE | Image used to inject chaos. | Default: harness/chaos-go-runner:main-latest . For more information, go to image used by the helper pod. |
SEQUENCE | Sequence of chaos execution for multiple target pods. | Default: parallel. Supports serial and parallel. For more information, go to sequence of chaos execution |
Spoof map
Map of the target host names. For example, '{"abc.com":"spoofabc.com"}'
where the key is the host name to be spoofed and the value is the host name to which the key is spoofed or redirected. Tune it by using the SPOOF_MAP
environment variable.
The following YAML snippet illustrates the use of this environment variable:
# contains the spoof map for the dns spoofing
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: engine-nginx
spec:
engineState: "active"
annotationCheck: "false"
appinfo:
appns: "default"
applabel: "app=nginx"
appkind: "deployment"
chaosServiceAccount: litmus-admin
experiments:
- name: pod-dns-spoof
spec:
components:
env:
# map of host names
- name: SPOOF_MAP
value: '{"abc.com":"spoofabc.com"}'
- name: TOTAL_CHAOS_DURATION
value: "60"
Container runtime and socket path
The CONTAINER_RUNTIME
and SOCKET_PATH
environment variables to set the container runtime and socket file path, respectively.
CONTAINER_RUNTIME
: It supportsdocker
,containerd
, andcrio
runtimes. The default value iscontainerd
.SOCKET_PATH
: It contains path of containerd socket file by default (/run/containerd/containerd.sock
). Fordocker
, specify path as/var/run/docker.sock
. Forcrio
, specify path as/var/run/crio/crio.sock
.
The following YAML snippet illustrates the use of these environment variables:
## provide the container runtime and socket file path
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
name: engine-nginx
spec:
engineState: "active"
annotationCheck: "false"
appinfo:
appns: "default"
applabel: "app=nginx"
appkind: "deployment"
chaosServiceAccount: litmus-admin
experiments:
- name: pod-dns-spoof
spec:
components:
env:
# runtime for the container
# supports docker
- name: CONTAINER_RUNTIME
value: "containerd"
# path of the socket file
- name: SOCKET_PATH
value: "/run/containerd/containerd.sock"
# map of host names
- name: SPOOF_MAP
value: '{"abc.com":"spoofabc.com"}'
- name: TOTAL_CHAOS_DURATION
VALUE: "60"