FAQs

Questions

Q: If I do not have deployed Kubernetes clusters, can I use Chaos Mesh to create chaos experiments?

No. Instead, you could use chaosd to inject failures without kubernetes.

Q: I have deployed Chaos Mesh and created PodChaos experiments successfully, but I still failed in creating NetworkChaos/TimeChaos Experiment. The log is shown as below:

  1. 2020-06-18T01:05:26.207Z    ERROR   controllers.TimeChaos   failed to apply chaos on all pods   {"reconciler": "timechaos", "error": "rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp xx.xx.xx.xx:xxxxx: connect: connection refused\""}

You can use the hostNetwork parameter to fix this issue as follows:

Q: The default administrator Google Cloud user account is forbidden to create chaos experiments. How to fix it?

The default administrator Google Cloud user cannot be checked by AdmissionReview. You need to create an administrator role and assign the role to your account to grant the privilege of creating chaos experiments to it. For example:

  1. kind: ClusterRole
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. metadata:
  4.   name: role-cluster-manager-pdmas
  5. rules:
  6.   - apiGroups: ['']
  7.     resources: ['pods', 'namespaces']
  8.     verbs: ['get', 'watch', 'list']
  9.   - apiGroups:
  10.       - chaos-mesh.org
  11.     resources: ['*']
  12.     verbs: ['get', 'list', 'watch', 'create', 'delete', 'patch', 'update']
  13. ---
  14. kind: ClusterRoleBinding
  15. apiVersion: rbac.authorization.k8s.io/v1
  16. metadata:
  17.   name: cluster-manager-binding
  18.   namespace: chaos-testing
  19. subjects:
  20.   # Google Cloud user account
  21.   - kind: User
  22.     name: USER_ACCOUNT
  23. roleRef:
  24.   kind: ClusterRole
  25.   name: role-cluster-manager-pdmas
  26.   apiGroup: rbac.authorization.k8s.io

The USER_ACCOUNT above should be your Google Cloud user email.

DNSChaos

Q: While trying to run DNSChaos in OpenShift, the problems regarding authorization blocked the process.

If the error message is similar to the following:

  1. Error creating: pods "chaos-dns-server-123aa56123-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.capabilities.add: Invalid value: "NET_BIND_SERVICE": capability may not be added]

You need to add the privileged Security Context Constraints (SCC) to the chaos-dns-server.

  1. oc adm policy add-scc-to-user privileged -n chaos-testing -z chaos-dns-server

Installation

Q: While trying to install Chaos Mesh in OpenShift, the problems regarding authorization blocked the installation process.

If the error message is similar to the following:

  1. Error creating: pods "chaos-daemon-" is forbidden: unable
  2.  to validate against any security context constraint: [spec.securityContext.hostNetwork:
  3.  Invalid value: true: Host network is not allowed to be used spec.securityContext.hostPID:
  4.  Invalid value: true: Host PID is not allowed to be used spec.securityContext.hostIPC:
  5.  Invalid value: true: Host IPC is not allowed to be used securityContext.runAsUser:
  6.  Invalid value: "hostPath": hostPath volumes are not allowed to be used spec.containers[0].securityContext.volumes[1]:
  7.  Invalid value: true: Host network is not allowed to be used spec.containers[0].securityContext.containers[0].hostPort:
  8.  Invalid value: 31767: Host ports are not allowed to be used spec.containers[0].securityContext.hostPID:
  9.  Invalid value: true: Host PID is not allowed to be used spec.containers[0].securityContext.hostIPC:
  10. ......]

You need to add privileged scc to default.

  1. oc adm policy add-scc-to-user privileged -n chaos-testing -z chaos-daemon