Dashboard
Preview

Preview: Gremlin in Kubernetes Restricted Networks

With Linux version 2.31.0 this feature is enabled by default. We recommend you upgrade to this version where no further configuration is necessary

Until now, any Gremlin experiment against a container or Kubernetes object target required that <span class="code-class-custom">api.gremlin.com</span> be accessible to that target (via proxy or otherwise). This made Gremlin installations challenging for environments where the network is restricted. For example, administrators of OpenShift environments will use a NetworkPolicy to restrict egress traffic from application pods that do not need any network access.

With Linux version 2.30.3, Gremlin no longer requires this network access from its targets when the environment variable <span class="code-class-custom">GREMLIN_TRANSPORT=domain-socket</span> is supplied to the <span class="code-class-custom">gremlind</span> agent process.

Try it out

To enable this behavior on an existing Kubernetes cluster, ensure you have at least version <span class="code-class-custom">2.30.3</span> installed, then enable the behavior by setting the environment variable:

SHELL

# Command assumes Gremlin is installed in the `gremlin` namespace
kubectl set env daemonset/gremlin -n gremlin GREMLIN_TRANSPORT=domain-socket

To disable this behavior, simply remove the environment variable, or clear its value.

How it works

Prior to this change, you can visualize Gremlin's network activity as two parallel TCP streams:


gremlin  <--HTTP/TCP--> control plane
gremlind <--HTTP/TCP--> control plane

With <span class="code-class-custom">GREMLIN_TRANSPORT=domain-socket</span>, the <span class="code-class-custom">gremlin</span> experiment sidecar now routes its traffic to the <span class="code-class-custom">gremlind</span> agent process via a unix domain socket (unix(7)), before it is ultimately sent to <span class="code-class-custom">api.gremlin.com</span>.


gremlin  <--HTTP/UNIX--> gremlind <--HTTP/TCP--> control plane
No items found.
Previous
This is some text inside of a div block.
Compatibility
Installing the Gremlin Agent
Authenticating the Gremlin Agent
Configuring the Gremlin Agent
Managing the Gremlin Agent
User Management
Integrations
Health Checks
Notifications
Command Line Interface
Updating Gremlin
Quick Start Guide
Services and Dependencies
Detected Risks
Reliability Tests
Reliability Score
Targets
Experiments
Scenarios
GameDays
Overview
Deploying Failure Flags on AWS Lambda
Deploying Failure Flags on AWS ECS
Deploying Failure Flags on Kubernetes
Classes, methods, & attributes
API Keys
Examples
Container security
General
Linux
Windows
Chao
Helm
Glossary
Alfi
Additional Configuration for Helm
Amazon CloudWatch Health Check
AppDynamics Health Check
Application Level Fault Injection (ALFI)
Blackhole Experiment
CPU Experiment
Certificate Expiry
Custom Health Check
Custom Load Generator
DNS Experiment
Datadog Health Check
Disk Experiment
Dynatrace Health Check
Grafana Cloud Health Check
Grafana Cloud K6
IO Experiment
Install Gremlin on Kubernetes manually
Install Gremlin on OpenShift 4
Installing Gremlin on AWS - Configuring your VPC
Installing Gremlin on Kubernetes with Helm
Installing Gremlin on Windows
Installing Gremlin on a virtual machine
Installing the Failure Flags SDK
Jira
Latency Experiment
Memory Experiment
Network Tags
New Relic Health Check
Overview
Overview
Overview
Overview
Overview
Packet Loss Attack
PagerDuty Health Check
Preview: Gremlin in Kubernetes Restricted Networks
Private Network Integration Agent
Process Collection
Process Killer Experiment
Prometheus Health Check
Role Based Access Control
Running Failure Flags experiments
Scheduling Scenarios
Shared Scenarios
Shutdown Experiment
Slack
Teams
Time Travel Experiment
Troubleshooting Gremlin on OpenShift
User Authentication via SAML and Okta
Users
Webhooks
Integration Agent for Linux
Test Suites
Restricting Testing Times
Reports
Enabling DNS collection