【Chaos Mesh官方文档】 Basic Features

This document describes the basic features of Chaos Mesh, including fault injection, Chaos workflows, visualized operations, and security guarantees.

这篇文档描述了CM的基本特性，包括错误注入，混沌工作流，可视化操作和安全保证

Fault injection​

Fault injection is the key of Chaos experiments. Chaos Mesh covers a full range of faults that might occur in a distributed system, and provides three comprehensive and fine-grained fault types: basic resource faults, platform faults, and application-layer faults.

• Basic resource faults:
  • PodChaos: simulates Pod failures, such as Pod node restart, Pod's persistent unavailablility, and certain container failures in a specific Pod.
  • NetworkChaos: simulates network failures, such as network latency, packet loss, packet disorder, and network partitions.
  • DNSChaos: simulates DNS failures, such as the parsing failure of DNS domain name and the wrong IP address returned.
  • HTTPChaos: simulates HTTP communication failures, such as HTTP communication latency.
  • StressChaos: simulates CPU race or memory race.
  • IOChaos: simulates the I/O failure of an application file, such as I/O delays, read and write failures.
  • TimeChaos: simulates the time jump exception.
  • KernelChaos: simulates kernel failures, such as an exception of the application memory allocation.
• Platform faults:
  • AWSChaos: simulates AWS platform failures, such as the AWS node restart.
  • GCPChaos: simulates GCP platform failures, such as the GCP node restart.
• Application faults:
  • JVMChaos: simulates JVM application failures, such as the function call delay.

错误注入

错误注入和混沌实验的关键。CM涵盖了所有可能发生在分布式系统的错误并提供了三种详尽的和良好细粒度的错误类型：基础资源错误，平台错误和应用层错误。

基本资源错误：

Pod混沌：模拟Pod失败，例如Pod节点重启，pod持久化不可用和指定pod的特定容器失败

网络混沌：模拟网络错误，例如网络延迟，包丢失，包乱序，和网络分区

DNS混沌：模拟DNS错误，例如解析DNS域名失败和返回错误的ip

HTTP混沌：模拟HTTP链接错误，例如HTTP链接延迟

IO混沌：模拟一个应用文件的IO失败，例如IO延迟，读写错误

时间混沌：模拟时间跳跃异常

内核混沌：模拟内核错误，例如应用申请内存异常

平台错误：

AWS混沌：模拟AWS平台错误，例如AWS节点重启

GCP混沌：模拟GCP平台错误，例如GCP节点重启

应用错误：

JVM混沌：模拟JVM应用错误，例如方法调用延迟

Chaos workflows​

A Chaos workflow includes a set of Chaos experiments and an application status check, so you can complete the entire process of a Chaos engineering project on the platform.

Chaos workflows enable you to perform a series of Chaos experiments, keep expanding the explosion radius (including the scope of attacks), and increase the failure types. After running a Chaos workflow, you can easily view the current state of the application using Chaos Mesh and determine whether to perform follow-up experiments.At the same time, to reduce the cost of maintaining Chaos workflows, you can keep updating and accumulating the Chaos experiment workflows, and apply the existing experiments to other workflows.

Currently, Chaos workflows provide the following features:

• Orchestrate serial Chaos experiments
• Orchestrate parallel Chaos experiments
• Support checking experimental status and results
• Support pausing a Chaos experiment
• Support using YAML files to define and manage Chaos workflows
• Support using the web UI to define and manage Chaos workflows

For the configuration of a specific workflow, see Create Chaos Mesh workflow.

混沌工作流

一个混沌工作流包含一系列混沌实验和一个应用状态检查，所以你可以在这个平台上完成整个混沌工程的流程

混沌工作流让你能够执行一系列混沌实验，保持扩大爆炸范围（包括攻击范围），和增加错误类型。在运行一个混沌工作流后，你可以使用CM方便的看到应用程序的当前状态并决定是否执行后续实验。在同一时间，为了减少维持混沌工作流的开销，你可以更新和加速混沌实验工作流并将已存在的实验应用到其他工作流

当前，混沌工作流提供以下特性：

编排串行混沌实验

编排并行混沌实验

时间状态检查和结果的支持

暂停一个混沌实验

使用yaml文件定义和管理混沌工作流

使用web界面定义和管理混沌工作流

参考创建CM工作流获得更多配置信息

Visualized operations​

Chaos Mesh provides the Chaos Dashboard component for visualized operations, which greatly simplifies Chaos experiments.You can manage and monitor a Chaos experiment directly through the visualization interface. For example, with a few clicks on the interface, you can define the scope of a Chaos experiment, specify the type of Chaos injection, define scheduling rules, and get the results of the Chaos experiment.

可视化操作

CM提供混沌看板来可视化操作，这大大简化了混沌实验。你可以直接通过可视化界面管理和监控混沌实验。例如，通过在界面上一些点击，你可以定义混沌实验的范围，指定混沌注入的类型，定义调度规则并获得混沌实验的结果

Security guarantee​

Chaos Mesh manages permissions using the native RBAC feature in Kubernetes.

You can freely create multiple roles based on your actual permission requirements, bind the roles to the username service account, and then generate the token corresponding to the service account.When you log into the Dashboard using this token, you can only perform Chaos experiments within the permissions given by the service account.

In addition, you can specify the namespaces that allow Chaos experiments by setting the namespace annotations, which further safeguards the control of Chaos experiments.

安全保障

CM使用K8s的原生的RBAC管理准入

你可以自由的基于你实际准入需求创建多个角色，绑定角色和服务账号，然后生成对应服务账号的令牌。当你使用令牌登陆看板时，你只能执行给出的服务账号准许的混沌实验

额外的，你可以通过设置命名空间注解来指定命名空间进行混沌实验从而进一步保证混沌实验的控制