Infrastructure Layer

Preview Gremlin on Crio and Containerd


Pre-requisites

You’ll need to download a certificate key-pair or create a team secret before installing Gremlin.

Install with Helm

The easiest way to install the Gremlin preview is with Helm. To install with Helm, install the gremlin-beta helm repo. Visit gremlin/helm for more arguments you can pass to this helm chart.

shell
1helm repo add gremlin-beta https://helm.gremlin.com/beta

We also recommend installing Gremlin into its own namespace (e.g. gremlin).

shell
1kubectl create namespace gremlin

Install with a Certificate Key-Pair

With GREMLIN_TEAM_ID set to your team’s ID, and your certificate key-pair downloaded and unzipped to ./cert.pem and ./key.pem:

shell
1helm install gremlin gremlin-beta/gremlin \
2 --namespace gremlin \
3 --set runtime.name=containerd \
4 --set gremlin.hostPID=true \
5 --set gremlin.secret.managed=true \
6 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \
7 --set gremlin.secret.clusterID=my-cluster \
8 --set-file gremlin.secret.certificate=./cert.pem \
9 --set-file gremlin.secret.key=./key.pem

Install with a Team Secret

With GREMLIN_TEAM_ID set to your team’s ID, and GREMLIN_TEAM_SECRET set to your team’s secret:

shell
1helm install gremlin gremlin-beta/gremlin \
2 --namespace gremlin \
3 --set runtime.name=containerd \
4 --set gremlin.hostPID=true \
5 --set gremlin.secret.managed=true \
6 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \
7 --set gremlin.secret.teamSecret=$GREMLIN_TEAM_SECRET \
8 --set gremlin.secret.clusterID=my-cluster

Considerations for Clusters using Pod Security Policies

Gremlin performs some actions that are prohibited by the PodSecurityPolicies that are installed onto clusters by default:

  • Run as root within the containers Gremlin manages
  • Run in the host’s PID namespace (Gremlin will not need this in a later release)
  • Access to hostPath mounts:
    • Read-only access to /sys/fs/cgroup
    • Read-only access to /etc/containers/policy.json
    • Read-only access to /run/systemd/resolve/resolv.conf
    • Read-only access to /etc/containers/policy.json
    • Read-only access to the unix domain socket of the target container runtime (e.g. /var/run/crio/crio.sock)
    • Write access to the runc root of the target container runtime (e.g. /run/runc)
    • Write access to /var/lib/gremlin and /var/log/gremlin
  • Acquire capabilities for running attacks and attaching to existing container namespaces: CAP_KILL, CAP_NET_ADMIN, CAP_SYS_BOOT, CAP_SYS_TIME, CAP_SYS_ADMIN
  • A seccomp profile that allows keyctl and pivot_root syscalls

Gremlin’s Helm chart provides a PodSecurityPolicy which grants Gremlin everything it needs, and nothing else. Install this by supplying --set gremlin.usePodSecurityPolicy=true when installing Gremlin.

shell
1helm install gremlin gremlin-beta/gremlin \
2 --namespace gremlin \
3 --set runtime.name=containerd \
4 --set gremlin.hostPID=true \
5 --set gremlin.usePodSecurityPolicy=true \
6 --set gremlin.secret.managed=true \
7 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \
8 --set gremlin.secret.clusterID=my-cluster \
9 --set-file gremlin.secret.certificate=./cert.pem \
10 --set-file gremlin.secret.key=./key.pem

To see exactly what PodSecurityPolicy configurations are needed by Gremlin, you can run the following

shell
1helm template gremlin gremlin-beta/gremlin -s templates/gremlin-service-account.yaml -s templates/seccomp-installer.yaml \
2 --namespace gremlin \
3 --set gremlin.usePodSecurityPolicy=true \
4 --set gremlin.hostPID=true \
5 --set runtime.name=containerd \
6 --set gremlin.secret.managed=true \
7 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \
8 --set gremlin.secret.clusterID=phil-minikube \
9 --set-file gremlin.secret.certificate=./cert.pem \
10 --set-file gremlin.secret.key=./key.pem