Gremlin Docs Logo
Go to app
Quick Start Guides
AWS Quick Start Guide
Reliability Management (RM) Quick Start Guide
Getting Started
Compatibility
Installing the Gremlin Agent
Authenticating the Gremlin Agent
Configuring the Gremlin Agent
Enabling DNS collection
Enabling AWS PrivateLink
Platform
Private Network Integration Agent
Managing the Gremlin Agent
Updating Gremlin
Managing Users and Teams
Configuring Role Based Access Control (RBAC)
User Authentication via SAML and Okta
Managing Kubernetes namespaces
Integrations
Health Checks
Restricting Testing Times
Command Line Interface
Reports
Managing running, scheduled, and past experiments
Gremlin Private Edition
Reliability Management
Services and Dependencies
Detected Risks
Test Suites
Reliability Tests
Reliability Score
Fault Injection
Targets
Experiments
Scenarios
GameDays
Failure Flags
Failure Flags
Deploying Failure Flags on AWS Lambda
Deploying Failure Flags on AWS ECS
Deploying Failure Flags on Kubernetes
Deploying Failure Flags on the Istio service mesh via Envoy
Deploying Failure Flags on Pivotal Cloud Foundry (PCF)
Installing the Failure Flags SDK
Running Failure Flags experiments
API Reference
Getting started with the Gremlin API
Classes, methods, & attributes
API examples
Security
Security
Container security
Release Notes
GeneralLinuxIntegration Agent for LinuxWindowsChaoHelmFailure Flags: SidecarFailure Flags: Lambda Extension
Resources
Gremlin User Community SlackBlogTutorialsGlossary
Start your 30 day free trial.
START FOR FREE
Docs Home
Getting Started
Installing Gremlin on Kubernetes with Helm

Installing Gremlin on Kubernetes with Helm

Supported platforms:

N/A

The Gremlin Kubernetes agent lets you run experiments and reliability tests on standard Kubernetes resources, as well as Argo Rollouts. The Gremlin Helm Chart is the recommended way to install the Gremlin agent on Kubernetes. If you want to install Gremlin using plain YAML files and kubectl, see Install Gremlin on Kubernetes manually.

The Gremlin Helm Chart requires Helm v3 or later.

Warning when using shareProcessNamespace
If you have shareProcessNamespace enabled, process-focused experiments like Shutdown and Process Killer will affect all containers in the target pod. This can also include Memory experiments that are halted due to the OOMkiller. To mitigate this, use Process Killer to target the specific PID of the container you want to impact. Note that when the first process (PID 1) in this namespace terminates, Kubernetes will terminate all other processes in the pod.

Using the auto-generated Helm command (recommended)

Gremlin automatically generates a command that you can use to easily deploy and authenticate Gremlin via Helm. To use the auto-generated installation method:

  1. Log into the Gremlin web app and navigate to the Getting Started page.
  2. Under step 1 ("Install the Gremlin Agent"), click on the link to the values.yaml  file. This will prompt you to download the file to your PC.
  3. Open a terminal and run the following command. Make sure to replace [your-cluster-ID] with the name of your cluster:
SHELL

helm install gremlin gremlin/gremlin \
  --namespace gremlin \
  --create-namespace \
  --values values.yaml \
  --set gremlin.secret.clusterID=[your-cluster-ID]

Manually deploying via Helm

The steps for deploying to Kubernetes with Helm are:

  1. Gather your credentials
  2. Deploy the Helm chart
  3. Additional configuration
  4. Verify your installation

Gather your credentials

All Gremlin integration installations require you to use one of Gremlin's authentication methods. With Helm, you can use either signature (i.e. certificate)-based authentication or secret authentication. Secret-based authentication is easier to implement, but we recommend using certificate-based authentication. We'll show both methods in this guide.

First, retrieve your Team ID from your team settings page. Next, if you're using secret-based authentication, create a new secret, copy the secret to a text file (or keep the pop-up open), then continue to the next step.

If you're using certificate-based authentication, generate a new certificate pair, or download an existing certificate pair if one exists. Unzip the folder containing your certificates, then continue to the next step.

Deploy the Helm chart

Now that we have our credentials, let's add the Gremlin Helm repo and create a new namespace for our deployment:

SHELL

helm repo add gremlin https://helm.gremlin.com/
kubectl create namespace gremlin

Now we'll deploy the Chart. With this command, your team ID and secrets/certificates are passed directly to the Helm Chart. If you'd prefer to manage these secrets outside of Helm, see our Helm Chart documentation.

Important
Make sure to set the values of gremlin.secret.teamID, gremlin.secret.clusterID, gremlin.secret.certificate, and gremlin.secret.key to your actual Gremlin team ID, cluster ID, path to the certificate file, and path to the key file respectively.

For secret-based authentication:

SHELL

helm install gremlin gremlin/gremlin \
    --namespace gremlin \
    --set      gremlin.secret.type=secret \
    --set      gremlin.secret.managed=true \
    --set      gremlin.hostPID=true \
    --set      gremlin.hostNetwork=true \
    --set      gremlin.secret.teamID=YourGremlinTeamID \
    --set      gremlin.secret.clusterID=YourGremlinClusterID \
    --set      gremlin.secret.teamSecret=YourGremlinTeamSecret

For certificate-based authentication:

SHELL

helm install gremlin gremlin/gremlin \
    --namespace gremlin \
    --set      gremlin.secret.type=certificate \
    --set      gremlin.secret.managed=true \
    --set      gremlin.hostPID=true \
    --set      gremlin.hostNetwork=true \
    --set      gremlin.secret.teamID=YourGremlinTeamID \
    --set      gremlin.secret.clusterID=YourGremlinClusterID \
    --set-file gremlin.secret.certificate=/path/to/gremlin.cert \
    --set-file gremlin.secret.key=/path/to/gremlin.key

Additional configuration

The Helm Chart includes several additional options for customizing to your environment. These options include:

  • Specifying a container driver (Gremlin will try to auto-detect the current driver, but you can also tell Gremlin to use a specific driver).
  • Enabling Gremlin on the Kubernetes Master so you can run tests on the Kubernetes Control Plane.
  • Enabling AppArmor support for clusters that use AppArmor.
  • Installing Gremlin's custom PodSecurityPolicy or seccomp policy for restrictive clusters.
  • Configuring Gremlin to use a proxy.
  • Allowing multiple Gremlin teams to target specific namespaces.
  • Allow adding arbitrary environment variables.
  • Allow adding arbitrary annotations to Kubernetes service account.

These are optional and are only necessary if Gremlin doesn't run using the default options. To learn more, see the Additional Configuration for Helm docs.

Verify your installation

On the cluster, you can run the following command to check that the Gremlin Agent was installed properly:

SHELL

kubectl get pods -n gremlin

This should list one Gremlin Agent for each node in your cluster, plus one Pod named <span class="code-class-custom">chao</span>. For example, this is the output for a three-node cluster:

SHELL

kubectl get pods -n gremlin

NAME                    READY   STATUS    RESTARTS   AGE
chao-78bbc7cbf6-9hn7q   1/1     Running   0          5d20h
gremlin-9r4t7           1/1     Running   0          5d20h
gremlin-bwmtz           1/1     Running   1          126d
gremlin-bx6dn           1/1     Running   0          5d20h

The following example shows 2 pending pods, which means the installation is incomplete. Contact your cluster administrator to debug why Gremlin is unable to run on those nodes.

SHELL

kubectl get pods -n gremlin

NAME                    READY   STATUS    RESTARTS   AGE
chao-78bbc7cbf6-9hn7q   1/1     Running   0          5d20h
gremlin-c25ld           0/1     Pending   0          112d
gremlin-n5gt7           0/1     Pending   0          112d
gremlin-zn4kq           1/1     Running   0          126d

Note
Gremlin can only target cluster resources on nodes that have a Gremlin Agent running on them. If you run a test that targets a resource on a node without a Gremlin Agent, the test will report an error. If Chao is not running, you won't be able to target cluster resources at all.

If you need additional troubleshooting help, see Gremlin Agent in the Gremlin Knowledge Base.

Uninstalling Gremlin from Kubernetes with Helm

To uninstall Gremlin via Helm, run the following commands:

BASH

helm uninstall gremlin -n gremlin
kubectl delete namespace gremlin

Privileges required

Privilege Description
CLIENTS_READAllows reading all client information within the team
CLIENTS_WRITEAllows editing all client information within the team
TEAM_SECURITY_READAllows reading of team related credential information

Previous
Previous
Compatibility
Next
Next
On this page
Back to top