Gremlin Docs Logo
Go to app
Quick Start Guides
AWS Quick Start Guide
Reliability Management (RM) Quick Start Guide
Getting Started
Compatibility
Installing the Gremlin Agent
Authenticating the Gremlin Agent
Configuring the Gremlin Agent
Enabling DNS collection
Enabling AWS PrivateLink
Platform
Managing the Gremlin Agent
Updating Gremlin
Managing Users and Teams
Configuring Role Based Access Control (RBAC)
User Authentication via SAML and Okta
Integrations
Health Checks
Notifications
Restricting Testing Times
Command Line Interface
Reports
Reliability Management
Services and Dependencies
Detected Risks
Test Suites
Reliability Tests
Reliability Score
Fault Injection
Targets
Experiments
Scenarios
GameDays
Failure Flags
Failure Flags
Deploying Failure Flags on AWS Lambda
Deploying Failure Flags on AWS ECS
Deploying Failure Flags on Kubernetes
Deploying Failure Flags on the Istio service mesh via Envoy
Installing the Failure Flags SDK
Running Failure Flags experiments
API Reference
Getting started with the Gremlin API
Classes, methods, & attributes
API examples
Security
Security
Container security
Release Notes
General
Linux
Integration Agent for Linux
Windows
Chao
Helm
Failure Flags: Lambda Extension
Failure Flags: Sidecar
Resources
Gremlin User Community SlackBlogTutorialsGlossary
Start your 30 day free trial.
START FOR FREE
Docs Home
No items found.
Preview: Gremlin in Kubernetes Restricted Networks

Preview: Gremlin in Kubernetes Restricted Networks

No items found.
With Linux version 2.31.0 this feature is enabled by default. We recommend you upgrade to this version where no further configuration is necessary

Until now, any Gremlin experiment against a container or Kubernetes object target required that <span class="code-class-custom">api.gremlin.com</span> be accessible to that target (via proxy or otherwise). This made Gremlin installations challenging for environments where the network is restricted. For example, administrators of OpenShift environments will use a NetworkPolicy to restrict egress traffic from application pods that do not need any network access.

With Linux version 2.30.3, Gremlin no longer requires this network access from its targets when the environment variable <span class="code-class-custom">GREMLIN_TRANSPORT=domain-socket</span> is supplied to the <span class="code-class-custom">gremlind</span> agent process.

Try it out

To enable this behavior on an existing Kubernetes cluster, ensure you have at least version <span class="code-class-custom">2.30.3</span> installed, then enable the behavior by setting the environment variable:

SHELL

# Command assumes Gremlin is installed in the `gremlin` namespace
kubectl set env daemonset/gremlin -n gremlin GREMLIN_TRANSPORT=domain-socket

To disable this behavior, simply remove the environment variable, or clear its value.

How it works

Prior to this change, you can visualize Gremlin's network activity as two parallel TCP streams:


gremlin  <--HTTP/TCP--> control plane
gremlind <--HTTP/TCP--> control plane

With <span class="code-class-custom">GREMLIN_TRANSPORT=domain-socket</span>, the <span class="code-class-custom">gremlin</span> experiment sidecar now routes its traffic to the <span class="code-class-custom">gremlind</span> agent process via a unix domain socket (unix(7)), before it is ultimately sent to <span class="code-class-custom">api.gremlin.com</span>.


gremlin  <--HTTP/UNIX--> gremlind <--HTTP/TCP--> control plane
Previous
Previous
Next
Next
On this page
Back to top