Prerequisites before executing faults on TKGi

This topic describes the HCE platform requires to execute chaos experiments.

On-premise Kubernetes (TKGi)

Chaos agent deployment model	Centralized Chaos Agent on Kubernetes (leverage kube-api and container-runtime api to inject faults on K8s microservices)
Connectivity requirements from agent	Outbound over port 443 to Harness from Kubernetes cluster. Outbound to application health endpoints (ones which will be used for resilience validation) from Kubernetes cluster.
Connectivity requirements from VM/cluster/app	Application and Chaos Agent Co-Exist as pods on the same cluster.
Access requirements for agent install	Install agent as a cluster-admin or as a user mapped to cluster role with these permissions.
Access requirements for basic chaos experiments	Chaos ServiceAccount: consolidated serviceaccount for basic pod chaos No container runtime privileges required.
Access requirements for advanced chaos experiments	Chaos ServiceAccount: [consolidated serviceaccount for advanced pod and node chaos] Container Runtime privileges: [recommended psp for advanced chaos] Refer to Chaos Experiment Flow for Microservice Targets section in the architecture doc for more details on need for the privileges
Chaos deployment and architecture details	Refer to TKGi approach and namespace-scoped cluster mode.
Supported chaos faults	Basic pod faults without container privileges. Advanced pod and node faults with additional resource permissions and container privileges.