Infrastructure Layer

Kubernetes

Gremlin allows targeting objects within your Kubernetes clusters. After selecting a cluster, you can filter the visible set of objects by selecting a namespace. Select any of your Deployments, ReplicaSets, StatefulSets, DaemonSets, or Pods. When one object is selected, all child objects will also be targeted. For example, when selecting a DaemonSet, all of the pods within will be selected.

Only parent Kubernetes objects are available to target. Pods will be listed only if they don't belong to a Set or Deployment.

Installation

In addition to the Gremlin client that is installed on the host, or node, of a Kubernetes cluster, you must also install the Gremlin Kubernetes client to the cluster. The Kubernetes client can be installed either using kubectl or helm. Both methods are outlined here.

Create a Kubernetes secret from Gremlin certificates

(Skip this step if you are using secret-based authentication)

  1. Download the Gremlin certificates (you need at least team manager access)
  2. Unzip certificates.zip
  3. Rename the files in the certificates folder. Team Name.pub_cert.pem becomes gremlin.cert. Team Name.priv_key.pem becomes gremlin.key.
  4. Create a gremlin namespace: kubectl create namespace gremlin
  5. Create a kubernetes secret by running the following:

    kubectl -n gremlin create secret generic gremlin-team-cert --from-file=/path/to/gremlin.cert --from-file=/path/to/gremlin.key

kubectl

Download and apply the Gremlin configuration manifest
  1. Download the Gremlin configuration manifest by running the following:

    wget https://k8s.gremlin.com/resources/gremlin-conf.yaml

  2. Open the file and update the following:
  3. Replace the following line with your team ID: "YOUR TEAM ID GOES HERE"
  4. Replace the following line with your team secret: "YOUR TEAM SECRET GOES HERE"

    (If you are using certificate-based authentication, remove this line.)

  5. Replace the following line with a string that you will use to identify your cluster: "YOUR UNIQUE CLUSTER NAME GOES HERE"
  6. Apply the manifest with this command: kubectl apply -f /path/to/gremlin-conf.yaml
Download and apply the Gremlin client manifest

If you are using certificate-based authentication:

  1. Download and apply the gremlin client manifest for your kubernetes cluster by running the following:

    kubectl apply -f https://k8s.gremlin.com/resources/gremlin-client.yaml

If you are using secret-based authentication:

  1. Download and apply the gremlin client manifest for your kubernetes cluster by running the following:

    kubectl apply -f https://k8s.gremlin.com/resources/gremlin-client-secret.yaml

Download and apply the K8s client manifest

If you are using certificate-based authentication:

  1. Download and apply the k8s client manifest by running:

    kubectl apply -f https://k8s.gremlin.com/resources/gremlin-chao.yaml

If you are using secret-based authentication:

  1. Download and apply the k8s client manifest by running:

    kubectl apply -f https://k8s.gremlin.com/resources/gremlin-chao-secret.yaml

Helm

Let Gremlin know your Gremlin team ID and your Kubernetes cluster name

GREMLIN_TEAM_ID="changeit"
GREMLIN_CLUSTER_ID="changeit"

Add the Gremlin beta helm chart

helm repo remove gremlin
helm repo add gremlin https://helm.gremlin.com

Create a namespace for the Gremlin Kubernetes client

kubectl create namespace gremlin

Pass your certificate to both the Gremlin and Kubernetes client

kubectl create secret generic gremlin-team-cert \
	--namespace=gremlin  \
	--from-file=/path/to/gremlin.cert \
	--from-file=/path/to/gremlin.key

Install the Gremlin Kubernetes client

helm install \
	--namespace gremlin \
	--name gremlin \
	gremlin/gremlin \
	--set gremlin.teamID=$GREMLIN_TEAM_ID \
	--set gremlin.clusterID=$GREMLIN_CLUSTER_ID

Running an attack

Once you select the Kubernetes objects to be targeted, select and configure your desired Gremlin attack. When the attack in run, the underlying containers within the objects selected will be impacted.

Containers share resources with their hosts. Running resource attacks on Kubernetes objects will impact the hosts where the targeted containers are running, including the host's full set of containers.