Creates iptables rules on one or more pods to block incoming and outgoing traffic on a port in the pod network interface. Can be used to block network based services connected to the pod or to block inter-pod communication.
This is the multi-page printable view of this section. Click here to print.
Pod Network Filter
- 1: Pod Network Filter Using Krkn
- 2: Pod Network Filter Using Krkn-Hub
- 3: Pod Network Filter Using Krknctl
1 - Pod Network Filter Using Krkn
Configuration
- id: pod_network_filter
wait_duration: 300
test_duration: 100
label_selector: "app=label"
instance_count: 1
execution: parallel
namespace: 'default'
# scenario specific settings
ingress: false
egress: true
target: 'pod-name'
interfaces: []
protocols:
- tcp
ports:
- 80
taints: []
for the common module settings please refer to the documentation.
ingress: filters the incoming traffic on one or more ports. If set one or more network interfaces must be specifiedegress: filters the outgoing traffic on one or more ports.target: the pod name (if label_selector not set)interfaces: a list of network interfaces where the incoming traffic will be filteredports: the list of ports that will be filteredprotocols: the ip protocols to filter (tcp and udp)taints: List of taints for which tolerations need to created. Example: [“node-role.kubernetes.io/master:NoSchedule”]
Usage
To enable hog scenarios edit the kraken config file, go to the section kraken -> chaos_scenarios of the yaml structure
and add a new element to the list named network_chaos_ng_scenarios then add the desired scenario
pointing to the hog.yaml file.
kraken:
...
chaos_scenarios:
- network_chaos_ng_scenarios:
- scenarios/kube/pod-network-filter.yml
Examples
Please refer to the use cases section for some real usage scenarios.
2 - Pod Network Filter Using Krkn-Hub
Run
$ podman run --name=<container_name> --net=host --env-host=true -v <path-to-kube-config>:/home/krkn/.kube/config:z -d quay.io/krkn-chaos/krkn-hub:pod-network-filter
$ podman logs -f <container_name or container_id> # Streams Kraken logs
$ podman inspect <container-name or container-id> --format "{{.State.ExitCode}}" # Outputs exit code which can considered as pass/fail for the scenario
$ docker run $(./get_docker_params.sh) --name=<container_name> --net=host -v <path-to-kube-config>:/home/krkn/.kube/config:z -d quay.io/krkn-chaos/krkn-hub:pod-network-filter
OR
$ docker run -e <VARIABLE>=<value> --net=host -v <path-to-kube-config>:/home/krkn/.kube/config:z -d quay.io/krkn-chaos/krkn-hub:pod-network-filter
$ docker logs -f <container_name or container_id> # Streams Kraken logs
$ docker inspect <container-name or container-id> --format "{{.State.ExitCode}}" # Outputs exit code which can considered as pass/fail for the scenario
TIP: Because the container runs with a non-root user, ensure the kube config is globally readable before mounting it in the container. You can achieve this with the following commands:
kubectl config view --flatten > ~/kubeconfig && chmod 444 ~/kubeconfig && docker run $(./get_docker_params.sh) --name=<container_name> --net=host -v ~kubeconfig:/home/krkn/.kube/config:Z -d quay.io/krkn-chaos/krkn-hub:<scenario>
Supported parameters
The following environment variables can be set on the host running the container to tweak the scenario/faults being injected:
ex.)
export <parameter_name>=<value>
See list of variables that apply to all scenarios here that can be used/set in addition to these scenario specific variables
| Parameter | Description | Default |
|---|---|---|
| TOTAL_CHAOS_DURATION | set chaos duration (in sec) as desired | 60 |
| POD_SELECTOR | defines the pod selector for choosing target pods. If multiple pods match the selector, all of them will be subjected to stress. | “app=selector” |
| POD_NAME | the pod name to target (if POD_SELECTOR not specified) | |
| INSTANCE_COUNT | restricts the number of selected pods by the selector | “1” |
| EXECUTION | sets the execution mode of the scenario on multiple pods, can be parallel or serial | “parallel” |
| INGRESS | sets the network filter on incoming traffic, can be true or false | false |
| EGRESS | sets the network filter on outgoing traffic, can be true or false | true |
| INTERFACES | a list of comma separated names of network interfaces (eg. eth0 or eth0,eth1,eth2) to filter for outgoing traffic | "" |
| PORTS | a list of comma separated port numbers (eg 8080 or 8080,8081,8082) to filter for both outgoing and incoming traffic | "" |
| PROTOCOLS | a list of comma separated network protocols (tcp, udp or both of them e.g. tcp,udp) | “tcp” |
| TAINTS | List of taints for which tolerations need to created. Example: [“node-role.kubernetes.io/master:NoSchedule”] | [] |
NOTE In case of using custom metrics profile or alerts profile when CAPTURE_METRICS or ENABLE_ALERTS is enabled, mount the metrics profile from the host on which the container is run using podman/docker under /home/krkn/kraken/config/metrics-aggregated.yaml and /home/krkn/kraken/config/alerts. For example:
$ podman run --name=<container_name> --net=host --env-host=true -v <path-to-custom-metrics-profile>:/home/krkn/kraken/config/metrics-aggregated.yaml -v <path-to-custom-alerts-profile>:/home/krkn/kraken/config/alerts -v <path-to-kube-config>:/home/krkn/.kube/config:Z -d quay.io/krkn-chaos/krkn-hub:pod-network-traffic
3 - Pod Network Filter Using Krknctl
krknctl run pod-network-filter (optional: --<parameter>:<value> )
Can also set any global variable listed here
| Argument | Type | Description | Required | Default Value |
|---|---|---|---|---|
--chaos-duration | number | Chaos Duration | false | 60 |
--pod-selector | string | Pod Selector | false | |
--pod-name | string | Pod Name | false | |
--namespace | string | Namespace | false | default |
--instance-count | number | Number of instances to target | false | 1 |
--execution | enum | Execution mode | false | |
--ingress | boolean | Filter incoming traffic | true | |
--egress | boolean | Filter outgoing traffic | true | |
--interfaces | string | Network interfaces to filter outgoing traffic (if more than one separated by comma) | false | |
--ports | string | Network ports to filter traffic (if more than one separated by comma) | true | |
--image | string | The network chaos injection workload container image | false | quay.io/krkn-chaos/krkn-network-chaos:latest |
--protocols | string | The network protocols that will be filtered | false | tcp |
--taints | String | List of taints for which tolerations need to created | false |
