Comments (8)
There's an example manifest in the examples folder: https://github.com/linki/chaoskube/tree/master/examples
This should give you a good start but it does need global read access to pods. This is explained in more detail here: #182 (comment)
apiVersion: apps/v1
kind: Deployment
metadata:
name: chaoskube
namespace: my-namespace
spec:
selector:
matchLabels:
app: chaoskube
template:
metadata:
labels:
app: chaoskube
spec:
serviceAccountName: chaoskube
containers:
- name: chaoskube
image: quay.io/linki/chaoskube:v0.19.0
args:
- --interval=15m
- --labels=app!=chaoskube
- --namespaces=my-namespace
- --no-dry-run
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: chaoskube
namespace: my-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: chaoskube
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: chaoskube
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chaoskube
subjects:
- kind: ServiceAccount
name: chaoskube
namespace: my-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: chaoskube
namespace: my-namespace
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: chaoskube
namespace: my-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: chaoskube
subjects:
- kind: ServiceAccount
name: chaoskube
from chaoskube.
@linki - Thanks Much! I will change the params and use the above. This helps.
from chaoskube.
@linki - I tried the above. I have in my namespace (test-ns) both chaoskube pod and my application pods ( 5 pods totally). No pods are getting killed in my namespace and I see the below error in my log.
Could you please let me know why I'm getting this error? Thanks!
time="xxxx" level=info msg="starting up" dryRun=false interval=10m0s version=v0.19.0 W0520 xxxx 6 client_config.go:543] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
time="xxxx" level=info msg="connected to cluster" master="https://<ip>" serverVersion=v1.16.8 time="xxxx" level=info msg="setting pod filter" annotations= excludedPodNames="<nil>" includedPodNames="<nil>" labels="app!=chaoskube" maxKill=1 minimumAge=1h0m0s namespaceLabels= namespaces=test-ns time="xxxx" level=info msg="setting quiet times" daysOfYear="[Dec 1 Dec31]" timesOfDay="[22:00-05:00]" weekdays="[Saturday Sunday]" time="xxxx" level=info msg="setting timezone" location=UTC name=UTC offset=0 time="xxxx" level=error msg="failed to terminate victim" err="pods is forbidden: User \"system:serviceaccount:test-ns:default\" cannot list resource \"pods\" in API group \"\" at the cluster scope" time="xxxx" level=error msg="failed to terminate victim" err="pods is forbidden: User \"system:serviceaccount:test-ns:default\" cannot list resource \"pods\" in API group \"\" at the cluster scope" time="xxxx" level=error msg="failed to terminate victim" err="pods is forbidden: User \"system:serviceaccount:test-ns:default\" cannot list resource \"pods\" in API group \"\" at the cluster scope" time="xxxx" level=error msg="failed to terminate victim" err="pods is forbidden: User \"system:serviceaccount:test-ns:default\" cannot list resource \"pods\" in API group \"\" at the cluster scope"
from chaoskube.
@linki - Any info. on the above issue? I'm stuck with this issue now and unable to move forward.
Any help would be very useful.
from chaoskube.
You need to setup an RBAC "ClusterRole" and "ClusterRoleBinding" to allow the ServiceAccount that chaoskube uses to list Pods at the cluster scope.
pods is forbidden: User "system:serviceaccount:test-ns:default" cannot list resource "pods" in API group "" at the cluster scope
First of all make sure chaoskube uses the correct ServiceAccount. From the logs your chaoskube is using the "default" ServiceAccount in the "test-ns" namespace. This is different from my example.
Then you need to carefully check whether you have the "ClusterRole" and "ClusterRoleBinding" correctly setup. It's a bit confusing sometimes but it makes sense. You just need to carefully connect all the dots.
You can find information about RBAC rules here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
from chaoskube.
@linki - Thanks! I got it working by running as admin user.I will retry with ordinary user again.Will check the serviceaccount.
from chaoskube.
@2020testuser Cool. I'm glad it works now.
from chaoskube.
chaoskube v0.27.0
can now be run while limiting RBAC permissions to a single namespace. Please checkout #399 (comment) for instructions how to use it.
from chaoskube.
Related Issues (20)
- Node termination support?
- Add support for terminating multiple pods within a topology
- kinds argument available? HOT 1
- Add flag to stop chaoskube after a given time HOT 1
- Helm chart on Kubeapps is not available HOT 18
- Action Required: Fix Renovate Configuration
- Context deadline exceeded while using slack notifier HOT 9
- maxKill functionality not working using helm chart HOT 1
- Makefile fails HOT 1
- Pod termination timestamp HOT 1
- Dependency Dashboard
- Bug with gracePeriod conversion HOT 3
- [FEATURE] Kill only pods which do have more then 1 sibling replica HOT 2
- Cannot disable dry run HOT 4
- Envar support HOT 3
- Switch to multi-arch docker image HOT 2
- Chaoskube does not kill pods and cannot target the chaoskube to specific namespaces HOT 1
- Failed to start HTTP server HOT 2
- [bug or feature?] pod being killed continuously HOT 6
- Log output error: json: error calling MarshalJSON for type time.Time HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chaoskube.