Infrastructure Layer

Installation

Gremlin must be installed on each host you wish to attack. In order for your hosts (and containers within the hosts) to be targetable, the installed gremlin must be registered with the Gremlin Control Plane.

Gremlin can be deployed into container-based infrastructure environments, virtual infrastructure environments, and bare-metal environments. The only requirement is that the environment runs on Linux.

General steps deploying to Virtual Machine:

  1. Get credentials - Team ID with secret or certificates
  2. Install Gremlin packages: gremlin and gremlind
  3. Register to the Control Plane

General steps deploying to Kubernetes:

  1. Get Credentials - Team ID with secret or certificates
  2. Create Kubernetes secret
  3. Deploy Helm Chart

Virtual Machine

Ubuntu, Debian, etc.

For DEB-based Linux distributions (DEB packages)

# Add the Gremlin repo
echo "deb https://deb.gremlin.com/ release non-free" | sudo tee /etc/apt/sources.list.d/gremlin.list

# Import the GPG key
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 9CDB294B29A5B1E2E00C24C022E8EF3461A50EF6

# Install Gremlin client and daemon
sudo apt-get update && sudo apt-get install -y gremlin gremlind

Note that you may also need to install the apt-transport-https package to be able to install Gremlin from our repo via HTTPS.

Amazon Linux, RHEL, CentOS, etc.

For RPM-based Linux distributions (RPM packages)

# Add the Gremlin repo
sudo curl https://rpm.gremlin.com/gremlin.repo -o /etc/yum.repos.d/gremlin.repo

# Install Gremlin client and daemon
sudo yum install -y gremlin gremlind

Docker Image

Alternatively, instead of installing Gremlin directly on the host operating system, you can deploy Gremlin from the Docker image on DockerHub.

For gremlind to attack Docker containers, you need to add the gremlin user to the docker group after installing Gremlin and Docker.

sudo adduser gremlin docker

Kubernetes

Gremlin allows targeting objects within your Kubernetes clusters. After selecting a cluster, you can filter the visible set of objects by selecting a namespace. Select any of your Deployments, ReplicaSets, StatefulSets, DaemonSets, or Pods. When one object is selected, all child objects will also be targeted. For example, when selecting a DaemonSet, all of the pods within will be selected.

Only parent Kubernetes objects are available to target. Pods will be listed only if they don't belong to a Set or Deployment.

Installation

In addition to the Gremlin client that is installed on the host, or node, of a Kubernetes cluster, you must also install the Gremlin Kubernetes client to the cluster. The Kubernetes client can be installed either using kubectl or helm. Both methods are outlined here.

Create a Kubernetes secret from Gremlin certificates

A Kubernetes secret is different from the secret used for secret-based Gremlin authentication. If you are using secret-based authentication, you can skip this step.

  1. Download the Gremlin certificates (you need at least team manager access)
  2. Unzip certificates.zip
  3. Rename the files in the certificates folder. Team Name.pub_cert.pem becomes gremlin.cert. Team Name.priv_key.pem becomes gremlin.key.
  4. Create a gremlin namespace: kubectl create namespace gremlin
  5. Create a kubernetes secret by running the following:

    kubectl -n gremlin create secret generic gremlin-team-cert --from-file=/path/to/gremlin.cert --from-file=/path/to/gremlin.key

kubectl
Download and apply the Gremlin configuration manifest
  1. Download the Gremlin configuration manifest by running the following:

    wget https://k8s.gremlin.com/resources/gremlin-conf.yaml

  2. Open the file and update the following:
  3. Replace the following line with your team ID: "YOUR TEAM ID GOES HERE"
  4. Replace the following line with your team secret: "YOUR TEAM SECRET GOES HERE"

    (If you are using certificate-based authentication, remove this line.)

  5. Replace the following line with a string that you will use to identify your cluster: "YOUR UNIQUE CLUSTER NAME GOES HERE"
  6. Apply the manifest with this command: kubectl apply -f /path/to/gremlin-conf.yaml
Download and apply the Gremlin client manifest

If you are using certificate-based authentication:

  1. Download and apply the gremlin client manifest for your kubernetes cluster by running the following:

    kubectl apply -f https://k8s.gremlin.com/resources/gremlin-client.yaml

If you are using secret-based authentication:

  1. Download and apply the gremlin client manifest for your kubernetes cluster by running the following:

    kubectl apply -f https://k8s.gremlin.com/resources/gremlin-client-secret.yaml

Download and apply the K8s client manifest

If you are using certificate-based authentication:

  1. Download and apply the k8s client manifest by running:

    kubectl apply -f https://k8s.gremlin.com/resources/gremlin-chao.yaml

If you are using secret-based authentication:

  1. Download and apply the k8s client manifest by running:

    kubectl apply -f https://k8s.gremlin.com/resources/gremlin-chao-secret.yaml

Helm

Let Gremlin know your Gremlin team ID and your Kubernetes cluster name

GREMLIN_TEAM_ID="changeit"
GREMLIN_CLUSTER_ID="changeit"

Add the Gremlin beta helm chart

helm repo remove gremlin
helm repo add gremlin https://helm.gremlin.com

Create a namespace for the Gremlin Kubernetes client

kubectl create namespace gremlin

Pass your certificate to both the Gremlin and Kubernetes client

kubectl create secret generic gremlin-team-cert \
	--namespace=gremlin  \
	--from-file=/path/to/gremlin.cert \
	--from-file=/path/to/gremlin.key

Install the Gremlin Kubernetes client

helm install \
	--namespace gremlin \
	--name gremlin \
	gremlin/gremlin \
	--set gremlin.teamID=$GREMLIN_TEAM_ID \
	--set gremlin.clusterID=$GREMLIN_CLUSTER_ID

Running an attack

Once you select the Kubernetes objects to be targeted, select and configure your desired Gremlin attack. When the attack in run, the underlying containers within the objects selected will be impacted.

Containers share resources with their hosts. Running resource attacks on Kubernetes objects will impact the hosts where the targeted containers are running, including the host's full set of containers.

ECS, Swarm, Mesos

Additional installation tutorials are available in our community site.

After Installation

You can see your installed clients on the clients page

Follow the advanced configuration for additional configuration options.