Krkn RBAC

RBAC Authorization rules required to run Krkn scenarios.

RBAC Configurations

Krkn supports two types of RBAC configurations:

  1. Ns-Privileged RBAC: Provides namespace-scoped permissions for scenarios that only require access to resources within a specific namespace.
  2. Privileged RBAC: Provides cluster-wide permissions for scenarios that require access to cluster-level resources like nodes.

RBAC YAML Files

Ns-Privileged Role

The ns-privileged role provides permissions limited to namespace-scoped resources:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: krkn-ns-privileged-role
  namespace: <target-namespace>
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments", "statefulsets"]
  verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch", "create", "delete"]

Ns-Privileged RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: krkn-ns-privileged-rolebinding
  namespace: <target-namespace>
subjects:
- kind: ServiceAccount
  name: <krkn-sa>
  namespace: <target-namespace>
roleRef:
  kind: Role
  name: krkn-ns-privileged-role
  apiGroup: rbac.authorization.k8s.io

Privileged ClusterRole

The privileged ClusterRole provides permissions for cluster-wide resources:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: krkn-privileged-clusterrole
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: ["apps"]
  resources: ["deployments", "statefulsets"]
  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]

Privileged ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: krkn-privileged-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: <krkn-sa>
  namespace: <krkn-namespace>
roleRef:
  kind: ClusterRole
  name: krkn-privileged-clusterrole
  apiGroup: rbac.authorization.k8s.io

How to Apply RBAC Configuration

  1. Customize the namespace in the YAML files:

    • Replace target-namespace with the namespace where you want to run Krkn scenarios
    • Replace krkn-namespace with the namespace where Krkn itself is deployed
  2. Create a service account for Krkn:

    kubectl create serviceaccount krkn-sa -n <namespace>
    
  3. Apply the RBAC configuration:

    # For ns-privileged access
    kubectl apply -f rbac/ns-privileged-role.yaml
    kubectl apply -f rbac/ns-privileged-rolebinding.yaml
    
    # For privileged access
    kubectl apply -f rbac/privileged-clusterrole.yaml
    kubectl apply -f rbac/privileged-clusterrolebinding.yaml
    

OpenShift-specific Configuration

For OpenShift clusters, you may need to grant the privileged Security Context Constraint (SCC) to the service account:

oc adm policy add-scc-to-user privileged -z krkn-sa -n <namespace>

Krkn Scenarios and Required RBAC Permissions

The following table lists the available Krkn scenarios and their required RBAC permission levels:

Scenario TypePlugin TypeRequired RBACDescription
application_outages_scenariosNamespaceNs-PrivilegedScenarios that cause application outages
cluster_shut_down_scenariosClusterPrivilegedScenarios that shut down the cluster
container_scenariosNamespaceNs-PrivilegedScenarios that affect containers
hog_scenariosClusterPrivilegedScenarios that consume resources
network_chaos_scenariosClusterPrivilegedScenarios that cause network chaos
network_chaos_ng_scenariosClusterPrivilegedNext-gen network chaos scenarios
node_scenariosClusterPrivilegedScenarios that affect nodes
pod_disruption_scenariosNamespaceNs-PrivilegedScenarios that disrupt or kill pods
pod_network_scenariosNamespaceNs-PrivilegedScenarios that affect pod network connectivity
pvc_scenariosNamespaceNs-PrivilegedScenarios that affect persistent volume claims
service_disruption_scenariosNamespaceNs-PrivilegedScenarios that disrupt services
service_hijacking_scenariosNamespacePrivilegedScenarios that hijack services
syn_flood_scenariosClusterPrivilegedSYN flood attack scenarios

| time_scenarios | Cluster | Privileged | Scenarios that manipulate system time | | zone_outages_scenarios | Cluster | Privileged | Scenarios that simulate zone outages |

NOTE: Grant the privileged SCC to the user running the pod, to execute all the below krkn testscenarios

oc adm policy add-scc-to-user privileged user1