Additional Configuration for Helm
Some environments require additional configuration. Review the following sections to find the best configuration for your environment and then verify your installation.
- Declare container driver
- Enable Gremlin on the Kubernetes Master
- Add AppArmor support
- Use a PodSecurityPolicy
- Use a custom seccomp policy
- Configure a proxy
Declare container driver
Gremlin has many different drivers for integrating with the underlying container runtime powering Kubernetes, as shown in the following table. Gremlin automatically chooses the most suitable driver based on associated requirements.
When using Helm, you can declare the intended container driver with the following:
Enable Gremlin on the Kubernetes Master
Most Kubernetes deployments configure master nodes with the <span class="code-class-custom">node-role.kubernetes.io/master:NoSchedule</span> taint. You can run the following command to see if any of your nodes have this taint:
To install Gremlin on a Kubernetes master that has been tainted, add those tolerations to your Helm arguments:
Add AppArmor support
If your cluster has AppArmor enabled (for example, Azure Kubernetes Service), add the following line to your Helm deployment to allow the Gremlin container to run without a security profile:
Use a PodSecurityPolicy
Gremlin does not support running within the <span class="code-class-custom"> restricted </span> PodSecurityPolicy (PSP) that is configured by default on clusters that enable such policies. You can install a <span class="code-class-custom"> gremlin </span> PodSecurityPolicy to grant <span class="code-class-custom"> chao </span> and <span class="code-class-custom"> gremlin </span> everything they need, and nothing they don't need. When installing Gremlin with Helm, you can supply <span class="code-class-custom"> --set gremlin.podSecurity.podSecurityPolicy.create=true </span> to install Gremlin's custom pod security policies. Check out Gremlin's Helm Chart Repository for full documentation and usage.
Use a custom seccomp policy
All Gremlin behavior works under Docker's default seccomp policy. However some environments use seccomp profiles that are more restrictive, and prevent Gremlin behavior when using their default seccomp profile.
Gremlin has a custom seccomp profile which can be automatically installed when you install with Helm and pass <span class="code-class-custom"> --set gremlin.podSecurity.seccomp.enabled=true </span>. Check out Gremlin's Helm Chart Repository for full documentation and usage.
Configure a proxy
Both Gremlin and Chao can be configured to use a proxy for outgoing HTTP traffic. The conventional <span class="code-class-custom">https_proxy</span> and <span class="code-class-custom">no_proxy</span> variables can be passed as environment variables for this purpose.
Proxy certificate authorities
When proxies support HTTPS communication, or are otherwise configured with a TLS certificate, it can be necessary to configure Gremlin to trust the proxy's certificate authority. This is done by passing the <span class="code-class-custom">SSL_CERT_FILE</span> environment variable where the value is a path on the file system to a PEM encoded file containing the certificate authority's certificate.
Configuring Gremlin
Configuring the Gremlin Kubernetes Agent
Because the Gremlin Kubernetes Agent (Chao) communicates with the local Kubernetes ApiServer in addition to the internet, it's important to bypass internet proxies for traffic bound to <span class="code-class-custom"> apiserver </span>
SSL_CERT_DIR
Supplying <span class="code-class-custom">SSL_CERT_DIR</span> ensures Chao is still configured with the necessary certificate authories to trust <span class="code-class-custom">api.gremlin.com</span>. However it is not needed for most Gremlin installations because Chao will trust Gremlin servers by default. This variable is only required for Chao deployments when both of the following conditions are true:
- Chao is configured with <span class="code-class-custom">https_proxy</span> and this proxy is configured to accept TLS connections
- Chao is also configured with <span class="code-class-custom">SSL_CERT_FILE</span>, and the file it points to contains only the certificate authority for the https proxy
The value of <span class="code-class-custom">SSL_CERT_DIR</span> should point to the root of the certificate authority directory for the operating system on which Chao runs.
Adding annotations to service account
You can use the advanced feature of adding custom annotations to the gremlin and chao service accounts in Kubernetes.For example, this can be used to tag the gremlin or chao service accounts with an AWS EKS IAM role when running:
Adding environment variables
You can use the advanced feature of adding custom environment variables to gremlin and chao services.
Sets environment variable TEST1 to "hello".
Adding labels to Gremlin pods
You can add custom labels to your Gremlin pods and assign values to them by using gremlin.podLabels. To set additional labels, simply add a new line:
Fault-level privileges
Access to experiments is controlled in two ways. The EXPERIMENTS_READ
, EXPERIMENTS_WRITE
, and EXPERIMENTS_RUN
privileges can be leveraged to control access to all experiments as a single unit.
For finer-grained access control, the individual FAULT
privileges can be leveraged to control access to specific experiment types. See the descriptions for each experiment to determine the correct FAULT
privilege.