Use the AWS FIS aws:eks:pod actions
You can use the aws:eks:pod actions to inject faults into the Kubernetes pods running in your EKS clusters.
When an action is initiated, FIS retrieves the
FIS Pod container image
.
This image is then used to create a pod in the targeted EKS cluster. The newly-created pod is responsible
for injecting, controlling and monitoring the fault. For all FIS EKS actions, except from
aws:eks:pod-delete
,
this is achieved through the use of
ephemeral containers
-
FIS creates the FIS Pod in the cluster which is provided in the experiment template.
-
The FIS Pod creates an ephemeral container in the Target Pod.
-
The FIS Pod controls and monitors the fault injection of the ephemeral container and FIS controls and monitors the FIS Pod.
Upon experiment completion or if an error occurs, the ephemeral container and the FIS Pod are removed.
Actions
Limitations
-
The following actions do not work with AWS Fargate:
aws:eks:pod-network-blackhole-port
aws:eks:pod-network-latency
aws:eks:pod-network-packet-loss
-
The following actions do not support the
bridge
network mode:aws:eks:pod-network-blackhole-port
aws:eks:pod-network-latency
aws:eks:pod-network-packet-loss
-
You can't identify targets of type aws:eks:pod in your experiment template using resource ARNs or resource tags. You must identify targets using the required resource parameters.
-
The actions
aws:eks:pod-network-latency
andaws:eks:pod-network-packet-loss
should not be run in parallel and target the same pod. Depending on the value of themaxErrors
parameter you specify, the action may end in completed or in failed state:If
maxErrorsPercent
is 0 (default), the action will end in failed state.Otherwise, the failure will add up to the
maxErrorsPercent
budget. If the number of failed injections do not reach the providedmaxErrors
, the action will end up in completed state.You can identify these failures from the logs of the injected ephemeral container in the target pod. It will fail with
Exit Code: 16
.
-
The action
aws:eks:pod-network-blackhole-port
should not be run in parallel with other actions that target the same pod and use the sametrafficType
. Parallel actions using different traffic types are supported. -
FIS can only monitor the status of fault injection when the
securityContext
of the target pods is set toreadOnlyRootFilesystem: false
. Without this configuration, all EKS pod actions will fail.
Requirements
-
Install the AWS CLI on your computer. This is needed only if you'll use the AWS CLI to create IAM roles. For more information, see Installing or updating the AWS CLI.
-
Install kubectl on your computer. This is needed only to interact with the EKS cluster to configure or monitor the target application. For more information, see https://kubernetes.io/docs/tasks/tools/
. -
The minimum supported version of EKS is 1.23.
Create an experiment role
To run an experiment, you need to configure an IAM role for the experiment. For more
information, see IAM roles for AWS FIS experiments. The required permissions for this role
depend on the action you're using. Refer to the
AWS FIS actions that target aws:eks:pod
to find the necessary permissions for your action.
Configure the Kubernetes service account
Configure a Kubernetes service account to run experiments with targets in the
specified Kubernetes namespace. In the following example, the service account is
myserviceaccount
and the namespace is
default
. Note that default is one of the
standard Kubernetes namespaces.
To configure your Kubernetes service account
-
Create a file named
rbac.yaml
and add the following.kind: ServiceAccount apiVersion: v1 metadata: namespace:
default
name:myserviceaccount
--- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace:default
name:role-experiments
rules: - apiGroups: [""] resources: ["configmaps"] verbs: [ "get", "create", "patch", "delete"] - apiGroups: [""] resources: ["pods"] verbs: ["create", "list", "get", "delete", "deletecollection"] - apiGroups: [""] resources: ["pods/ephemeralcontainers"] verbs: ["update"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: bind-role-experiments namespace:default
subjects: - kind: ServiceAccount name:myserviceaccount
namespace:default
- apiGroup: rbac.authorization.k8s.io kind: User name:fis-experiment
roleRef: kind: Role name:role-experiments
apiGroup: rbac.authorization.k8s.io -
Run the following command.
kubectl apply -f rbac.yaml
Grant IAM users and roles access to Kubernetes APIs
Follow the steps explained in Associate IAM Identities with Kubernetes Permissions in the EKS documentation.
We recommend using Access Entries by following the steps explained in Grant IAM users access to Kubernetes with EKS access entries.
aws eks create-access-entry \ --principal-arn arn:aws:iam::
123456789012
:role/fis-experiment-role
\ --usernamefis-experiment
\ --cluster-namemy-cluster
Important
In order to leverage access entries, the authentication mode of the EKS cluster must be configured
to either the API_AND_CONFIG_MAP
or API
mode.
You can also use the following command to create an identity mapping. For more information, see
Manage IAM users and
roles
eksctl create iamidentitymapping \ --arn arn:aws:iam::
123456789012
:role/fis-experiment-role
\ --usernamefis-experiment
\ --clustermy-cluster
Important
Leveraging the eksctl toolkit to configure identity mappings will result in the creation of
entries within the aws-auth
ConfigMap. It is important to note that these generated
entries do not support the inclusion of a path component. Consequently, the ARN provided as input
must not contain a path segment (e.g.,
arn:aws:iam::123456789012:role/service-role/fis-experiment-role
).
Pod container images
The pod container images provided by AWS FIS are hosted in Amazon ECR. When you reference an image from Amazon ECR, you must use the full image URI.
The pod container image is also available in the AWS ECR Public Gallery
AWS Region | Image URI |
---|---|
US East (Ohio) | 051821878176.dkr.ecr.us-east-2.amazonaws.com/aws-fis-pod:0.1 |
US East (N. Virginia) | 731367659002.dkr.ecr.us-east-1.amazonaws.com/aws-fis-pod:0.1 |
US West (N. California) | 080694859247.dkr.ecr.us-west-1.amazonaws.com/aws-fis-pod:0.1 |
US West (Oregon) | 864386544765.dkr.ecr.us-west-2.amazonaws.com/aws-fis-pod:0.1 |
Africa (Cape Town) | 056821267933.dkr.ecr.af-south-1.amazonaws.com/aws-fis-pod:0.1 |
Asia Pacific (Hong Kong) | 246405402639.dkr.ecr.ap-east-1.amazonaws.com/aws-fis-pod:0.1 |
Asia Pacific (Mumbai) | 524781661239.dkr.ecr.ap-south-1.amazonaws.com/aws-fis-pod:0.1 |
Asia Pacific (Seoul) | 526524659354.dkr.ecr.ap-northeast-2.amazonaws.com/aws-fis-pod:0.1 |
Asia Pacific (Singapore) | 316401638346.dkr.ecr.ap-southeast-1.amazonaws.com/aws-fis-pod:0.1 |
Asia Pacific (Sydney) | 488104106298.dkr.ecr.ap-southeast-2.amazonaws.com/aws-fis-pod:0.1 |
Asia Pacific (Tokyo) | 635234321696.dkr.ecr.ap-northeast-1.amazonaws.com/aws-fis-pod:0.1 |
Canada (Central) | 490658072207.dkr.ecr.ca-central-1.amazonaws.com/aws-fis-pod:0.1 |
Europe (Frankfurt) | 713827034473.dkr.ecr.eu-central-1.amazonaws.com/aws-fis-pod:0.1 |
Europe (Ireland) | 205866052826.dkr.ecr.eu-west-1.amazonaws.com/aws-fis-pod:0.1 |
Europe (London) | 327424803546.dkr.ecr.eu-west-2.amazonaws.com/aws-fis-pod:0.1 |
Europe (Milan) | 478809367036.dkr.ecr.eu-south-1.amazonaws.com/aws-fis-pod:0.1 |
Europe (Paris) | 154605889247.dkr.ecr.eu-west-3.amazonaws.com/aws-fis-pod:0.1 |
Europe (Spain) | 395402409451.dkr.ecr.eu-south-2.amazonaws.com/aws-fis-pod:0.1 |
Europe (Stockholm) | 263175118295.dkr.ecr.eu-north-1.amazonaws.com/aws-fis-pod:0.1 |
Middle East (Bahrain) | 065825543785.dkr.ecr.me-south-1.amazonaws.com/aws-fis-pod:0.1 |
South America (São Paulo) | 767113787785.dkr.ecr.sa-east-1.amazonaws.com/aws-fis-pod:0.1 |
AWS GovCloud (US-East) | 246533647532.dkr.ecr.us-gov-east-1.amazonaws.com/aws-fis-pod:0.1 |
AWS GovCloud (US-West) | 246529956514.dkr.ecr.us-gov-west-1.amazonaws.com/aws-fis-pod:0.1 |
Example experiment template
The following is an example experiment template for the aws:eks:pod-network-latency action.
{ "description": "Add latency and jitter to the network interface for the target EKS pods", "targets": { "myPods": { "resourceType": "aws:eks:pod", "parameters": { "clusterIdentifier": "
mycluster
", "namespace": "default
", "selectorType": "labelSelector
", "selectorValue": "mylabel=mytarget
" }, "selectionMode": "COUNT(3)
" } }, "actions": { "EksPod-latency": { "actionId": "aws:eks:pod-network-latency", "description": "Add latency", "parameters": { "kubernetesServiceAccount": "myserviceaccount
", "duration": "PT5M
", "delayMilliseconds": "200
", "jitterMilliseconds": "10
", "sources": "0.0.0.0/0
" }, "targets": { "Pods": "myPods" } } }, "stopConditions": [ { "source": "none", } ], "roleArn": "arn:aws:iam::111122223333
:role/fis-experiment-role
", "tags": { "Name": "EksPodNetworkLatency" } }