Skip to main content

Platform-wise permissions

This topic describes the platform-wise permissions required to execute a variety of chaos experiments on different platforms in your target environments.

On-premise VMs (VMware VMs)

Windows OS platform
Chaos agent deployment model Connectivity requirements from agent Connectivity requirements from VM/cluster/app Access requirements for agent install Access requirements for basic chaos experiments Access requirements for advanced chaos experiments Chaos deployment and architecture details Supported chaos faults
Native Chaos Agent on Each VM (system service within Target Windows Machine)
  1. Outbound over port 443 to Harness from VM.
  2. Outbound to application health endpoints (ones which will be used for resilience validation) from VM
Application and Chaos Agent Co-Exist on same VM Install agent as a administrator user Run experiments with non-administrator user Run experiments with administrator user Refer to Windows Chaos Infrastructure Management . Basic faults within non-administrator, Basic + Advanced faults with administrator
Centralized chaos agent on Kubernetes (leverage VMware tools to inject chaos process inside the guest VM)
  1. Outbound over port 443 to Harness from Kubernetes cluster.
  2. Outbound to application health endpoints (ones used for resilience validation) from Kubernetes cluster.
  3. Outbound over 443 to vCenter from Kubernetes cluster
Inbound over port 443 on ESX host (from Kubernetes chaos agent) Install agent as a cluster-admin OR as a user mapped to cluster role with these permissions.
  1. vCenter user should be mapped to a predefined chaos role.
  2. VMware tools should be setup on the VM.
  3. Remote command injection can be performed with non-administrator user.
  1. vCenter user should be mapped to a predefined chaos role.
  2. VMware tools should be setup on the VM.
  3. Remote command injection can be performed with administrator user.
  1. Refer [D.1] & [D.2] in HCE TKGi chaos approach and deployment architecture
  2. For more info, go to vCenter API Invocation used for the VM Faults executed by the K8s Agent
  1. Basic faults via remote command injection with non-administrator
  2. Basic and advanced faults via remote command injection with administrator