search

asobti / kube-monkey

An implementation of Netflix's Chaos Monkey for Kubernetes clusters
Apache License 2.0
2.97k stars 252 forks source link

whitelisting suggestion #5

Open haithkris opened 7 years ago

haithkris commented 7 years ago

Is there a possibility to add a whitelist to the kube monkey configuration? It could be exclusive with blacklisting. You either do the first or the second one. I find whitelisting better to deal with if you manage a lot of namespaces.

Thank you

asobti commented 7 years ago

Are you thinking of a scenario where all deployments within the whitelisted namespaces will be enrolled into Kube monkey? We'd have to figure out a way to specify parameters like MTBF etc. in this case.

An alternative way to do that would be instead of opting in deployments, maybe there could be an option to opt-in namespaces instead (by adding the kubernetes labels to them).

In either case, this isn't something that is currently supported. I'll try to take a look, but PRs are also welcome.

EIrwin commented 7 years ago

We too had discussed the preference of configuring opt-in vs opt-out. The cluster we would like to run this on has feature namespaces provisioned sometimes on daily basis in which case, we likely would not want to disturb those. This would also require us to constantly update the blacklisting of namespaces, versus explicitly saying which namespaces to run it against. I might look into branching off and making it configurable.

asobti commented 7 years ago

@EIrwin I'm all for having an opt-in option. I just haven't figured out the best way to handle configurations like MTBF etc in this case. Perhaps we could use a system where you globally set the mode to opt-in and specify some global value for MTBF. individual deployments can then override this value.

I'll take a look at this but if you do end up forking and implementing this, do ping me and I'll take a look at it.

EIrwin commented 7 years ago

@asobti that was similar to the approach I have started implementing. The first iteration could simply use a opt-in bool along with a global MTBF to be used. In later iteration(s), this could be extended to allow individual deployments to override this value.

asobti commented 7 years ago

Sounds good. I'll hold off on working on this for now in that case so we're not repeating the same work.

janwillies commented 7 years ago

Facing the same use-case. We have a shared cluster and there's no way for us to know all the namespaces to blacklist.

Maybe another idea is to have kube-monkey run per namespace? Or limit via RBAC rules?