lucky-sideburn / kubeinvaders

Gamified Chaos Engineering Tool for Kubernetes
Apache License 2.0
1.02k stars 127 forks source link
aliens chaos chaos-engineering game hacktoberfest kube-linter kubeinvaders kubeinvaders-container kubernetes openshift pods workstation

kubeinvaders :space_invader: aka k-inv :joystick:

Gamified Chaos Engineering Tool for K8s

This project is part of landscape of Cloud Native Computing Foudation in the Observability and Analysis - Chaos Engineering section.

Backed by the teams at platformengineering.it and devopstribe.it, which provides enterprise-grade features and certified resilience services for your Kubernetes infrastructure.

Here are the slides from the Chaos Engineering speech I prepared for FOSDEM 2023. Unfortunately, I could not be present at my talk, but I would still like to share them with the community.

Table of Contents

  1. Description
  2. Installation
  3. Usage
  4. URL Monitoring During Chaos Session
  5. Persistence
  6. Generic Troubleshooting & Known Problems
  7. Troubleshooting Unknown Namespace
  8. Metrics
  9. Security
  10. Roadmap
  11. Community
  12. Community blogs and videos
  13. License

Description

With k-inv, you can stress a K8s cluster in a fun way and check how resilient it is.

Installation

Run through Docker or Podman

Create the required components (assumes k8s v1.24+):

cat << 'EOF' | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: kubeinvaders
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kinv-cr
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - pods/log
    verbs:
      - delete
  - apiGroups:
      - batch
      - extensions
    resources:
      - jobs
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - "*"
    resources:
      - "*"
    verbs:
      - get
      - watch
      - list
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kinv-sa
  namespace: kubeinvaders
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kinv-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kinv-cr
subjects:
  - kind: ServiceAccount
    name: kinv-sa
    namespace: kubeinvaders
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: kinv-sa-token
  namespace: kubeinvaders
  annotations:
    kubernetes.io/service-account.name: kinv-sa
EOF

Extract the token:

TOKEN=$(k get secret -n kubeinvaders -o go-template='{{.data.token | base64decode}}' kinv-sa-token)

Create two namespaces:

kubectl create namespace namespace1
kubectl create namespace namespace2

Run the container:

podman run -p 3131:8080 \
--env K8S_TOKEN=$TOKEN \
--env ENDPOINT=localhost:3131 \
--env INSECURE_ENDPOINT=true \
--env KUBERNETES_SERVICE_HOST=<k8s_controlplane_host> \
--env KUBERNETES_SERVICE_PORT_HTTPS=<k8s_controlplane_port> \
--env NAMESPACE=namespace1,namespace2 \
luckysideburn/kubeinvaders:latest

Given this example, you can access k-inv at the following address: http://localhost:3131

Params

K8S_TOKEN

These are the permissions your service account must have. You can take an example from this clusterrole.

ENDPOINT

Host and port of the web console.

INSECURE_ENDPOINT

Select HTTP or HTTPS for the web console.

KUBERNETES_SERVICE_HOST

IP address or DNS name of your control plane.

KUBERNETES_SERVICE_PORT_HTTPS

TCP port of the target control plane.

NAMESPACE

List the namespaces you want to stress or on which you want to see logs (logs are a beta feature, they might not work or could slow down the browser...).

docker run -p 8080:8080 \
--env K8S_TOKEN=<k8s_service_account_token>  \
--env ENDPOINT=localhost:8080 \
--env INSECURE_ENDPOINT=true \
--env KUBERNETES_SERVICE_HOST=<k8s_controlplane_host> \
--env KUBERNETES_SERVICE_PORT_HTTPS=<k8s_controlplane_port> \
--env NAMESPACE=<comma_separated_namespaces_to_stress> \
luckysideburn/kubeinvaders:develop

Install to Kubernetes with Helm (v3+)

If you need a lab kubernetes cluster you can use this setup via Make and Minikube. Follow this readme

Artifact HUB

# Please be sure to use kubeinvaders-1.9.8 that is ne latest helm chart version!

helm repo add kubeinvaders https://lucky-sideburn.github.io/helm-charts/
helm repo update

kubectl create namespace kubeinvaders

# With ingress and TLS enabled
helm install --set-string config.target_namespace="namespace1\,namespace2" --set ingress.enabled=true --set ingress.hostName=kubeinvaders.local --set deployment.image.tag=latest -n kubeinvaders kubeinvaders kubeinvaders/kubeinvaders --set ingress.tls_enabled=true

# With ingress enabled but TLS disabled (in case you have a reverse-proxy that does TLS termination and nginx controller in http)
helm install --set-string config.target_namespace="namespace1\,namespace2" --set ingress.enabled=true --set ingress.hostName=kubeinvaders.local --set deployment.image.tag=latest -n kubeinvaders kubeinvaders kubeinvaders/kubeinvaders/ --set ingress.tls_enabled=false

Example for K3S

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--disable traefik" sh -s -

cat >/tmp/ingress-nginx.yaml <<EOF
apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: ingress-nginx
  namespace: kube-system
spec:
  chart: ingress-nginx
  repo: https://kubernetes.github.io/ingress-nginx
  targetNamespace: ingress-nginx
  version: v4.9.0
  set:
  valuesContent: |-
    fullnameOverride: ingress-nginx
    controller:
      kind: DaemonSet
      hostNetwork: true
      hostPort:
        enabled: true
      service:
        enabled: false
      publishService:
        enabled: false
      metrics:
        enabled: false
        serviceMonitor:
          enabled: false
      config:
        use-forwarded-headers: "true"
EOF

kubectl create -f /tmp/ingress-nginx.yaml

kubectl create ns namespace1
kubectl create ns namespace2

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

helm install kubeinvaders --set-string config.target_namespace="namespace1\,namespace2" \
-n kubeinvaders kubeinvaders/kubeinvaders --set ingress.enabled=true --set ingress.hostName=kubeinvaders.io --set deployment.image.tag=latest

Install to Kubernetes with Helm (v3+) - LoadBalancer / HTTP (tested with GKE)

helm install kubeinvaders --set-string config.target_namespace="namespace1\,namespace2" -n kubeinvaders kubeinvaders/kubeinvaders --set ingress.enabled=true --set ingress.hostName=kubeinvaders.local --set deployment.image.tag=latest --set service.type=LoadBalancer --set service.port=80

kubectl set env deployment/kubeinvaders INSECURE_ENDPOINT=true -n kubeinvaders

SCC for Openshift

oc adm policy add-scc-to-user anyuid -z kubeinvaders

Route for Openshift

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: kubeinvaders
  namespace: "kubeinvaders"
spec:
  host: "kubeinvaders.io"
  to:
    name: kubeinvaders
  tls:
    termination: Edge

Add simple nginx Deployment for Pods to shot at

cat >deployment.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 20 # tells deployment to run 20 pods matching the template
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.24.0
        ports:
        - containerPort: 81
EOF

Apply Nginx Deployment in namespace1 and namespace2

sudo kubectl apply -f deployment.yaml -n namespace1
sudo kubectl apply -f deployment.yaml -n namespace2

Usage

At the top you will find some metrics as described below:

Alt Text

Current Replicas State Delay is a metric that show how much time the cluster takes to come back at the desired state of pods replicas.

This is a control-plane you can use to switch off & on various features.

Alt Text

Start The Chaos Experiment

Press the "Start" button to initiate the automatic pilot (the button changes to "Stop" to disable this feature).

Enable Shuffle :joystick:

Press the "Enable Shuffle" button to randomly rearrange the positions of pods or K8s nodes (the button changes to "Disable Shuffle" to deactivate this feature).

Enable Auto Jump Between Namespace :joystick:

Press the "Auto NS Switch" button to randomly switch between namespaces (the button changes to "Disable Auto NS Switch" to deactivate this feature).

Show / Hide Pods Name :joystick:

Press the "Hide Pods Name" button to conceal the names of the pods beneath the aliens (the button changes to "Show Pods Name" to deactivate this feature).

Information about Current Status and Events :joystick:

As described below, on the game screen near the spaceship, there are details about the current cluster, namespace, and some configurations.

Alt Text

Under the + and - buttons, a bar appears with the latest game events.

Alt Text

Show Special Keys :joystick:

Press 'h' or select 'Show Special Keys' from the menu.

Zoom In / Out :joystick:

Press the + or - buttons to increase or decrease the game screen.

Chaos Containers for Master and Worker Nodes

URL Monitoring During Chaos Session

During a chaos engineering session, you can monitor the behavior of an HTTP call exposed by an Ingress.

Use the flag "Add HTTP check & Chaos Report" and add the URL to monitor Alt Text

Follow real time charts during the experiment

Alt Text

Persistence

K-inv uses Redis to save and manage data. Redis is configured with "appendonly."

Currently, the Helm chart does not support PersistentVolumes, but this task is on the to-do list...

Generic Troubleshooting and Known Problems

Troubleshooting Unknown Namespace

Prometheus Metrics

KubeInvaders exposes metrics for Prometheus through the standard endpoint /metrics.

Here is an example of Prometheus configuration:

scrape_configs:
- job_name: kubeinvaders
  static_configs:
  - targets:
    - kubeinvaders.kubeinvaders.svc.cluster.local:8080

Example of metrics:

Metric Description
chaos_jobs_node_count{node=workernode01} Total number of chaos jobs executed per node
chaos_node_jobs_total Total number of chaos jobs executed against all worker nodes
deleted_pods_total 16 Total number of deleted pods
deleted_namespace_pods_count{namespace=myawesomenamespace} Total number of deleted pods per namespace

Download Grafana dashboard

Alt Text

Alt Text

Security

In order to restrict the access to the Kubeinvaders endpoint add this annotation into the ingress.

nginx.ingress.kubernetes.io/whitelist-source-range: <your_ip>/32

Roadmap

Roadmap: Chaos Engineering Platform Enhancement Phase 1: Authentication and Authorization

Implement robust user authentication:
    Allow for both local and external authentication (e.g., LDAP, OAuth)
    Securely store user credentials
Introduce role-based access control (RBAC):
    Define granular permissions based on user roles (e.g., admin, engineer, viewer)
    Enforce authorization at the resource level (namespaces, experiments, etc.)

Phase 2: Analytics and Reporting

Develop namespace-specific statistics:
    Track the frequency of chaos engineering sessions per namespace
    Visualize trends and patterns over time
Create comprehensive reports:
    Generate customizable reports for management
    Include metrics on experiment coverage, success rates, and failure rates
Export reporting data:
    Allow for data export in various formats (e.g., CSV, JSON, PDF)

Phase 3: API Development

Expose platform functionality via a RESTful API:
    Enable integration with other tools and systems
    Support CRUD operations for core entities (experiments, scenarios, etc.)

Phase 4: UI Enhancements

Improve user experience:
    Redesign the UI for better usability and aesthetics
    Optimize performance and responsiveness

Phase 5: LLM Integration for Experiment Creation

Integrate an LLM: Develop an interface that allows users to describe experiments in natural language.
Translate to code: Utilize the LLM to translate natural language descriptions into executable code.
Validate and optimize: Implement mechanisms to validate and optimize the code generated by the LLM.

Community

Please reach out for news, bugs, feature requests, and other issues via:

Community blogs and videos

License

KubeInvaders is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.