Resource Access Restrict

The AWS Resource Access Restrict chaos experiment allows you to create network access restrictions by selectively blocking incoming or outgoing traffic from a security group associated with a specific service.

Use cases

This experiment enables you to simulate scenarios where network connectivity is restricted for an AWS service, providing valuable insights into the behavior and resilience of your system in such conditions.
By imposing these access restrictions, you can evaluate how your application and resources handle limited network access and ensure that they continue to operate effectively and securely.

Prerequisites

Kubernetes >= 1.17
ECS cluster running with the desired tasks and containers and familiarity with ECS service update and deployment concepts.
Create a Kubernetes secret that has the AWS access configuration(key) in the CHAOS_NAMESPACE. Below is a sample secret file:

apiVersion: v1
kind: Secret
metadata:
  name: cloud-secret
type: Opaque
stringData:
  cloud_config.yml: |-
    # Add the cloud AWS credentials respectively
    [default]
    aws_access_key_id = XXXXXXXXXXXXXXXXXXX
    aws_secret_access_key = XXXXXXXXXXXXXXX

tip

It is recommended to use the same secret name, that is, cloud-secret. Otherwise, you will need to update the AWS_SHARED_CREDENTIALS_FILE environment variable in the fault template and you may be unable to use the default health check probes.

Permissions required

Here is an example AWS policy to execute the fault.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupEgress"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

note

Refer to AWS named profile for chaos to use a different profile for AWS faults.
The ECS containers should be in a healthy state before and after introducing chaos.
Refer to the common attributes and AWS-specific tunables to tune the common tunables for all faults and AWS-specific tunables.
Refer to the superset permission/policy to execute all AWS faults.

Mandatory tunables

Tunable	Description	Notes
SECURITY_GROUP_IDS	Provide all the target security groups as comma separated values.	For example, `sg-12314,sg-2351324`.
REGION	Region name of the target ECS cluster	For example, `us-east-1`.

Optional tunable

Tunable	Description	Notes
TOTAL_CHAOS_DURATION	Duration that you specify, through which chaos is injected into the target resource (in seconds)	Defaults to 30s.
CHAOS_INTERVAL	Interval between successive instance terminations (in seconds)	Defaults to 30s.
AWS_SHARED_CREDENTIALS_FILE	Path to the AWS secret credentials	Defaults to `/tmp/cloud_config.yml`.
RULE_TYPE	Provide the rule type to be blocked. Supported value `inbound` and `outbound`.	Defaults to `inbound`.
RAMP_TIME	Period to wait before and after injecting chaos (in seconds)	For example, 30s.

Resouce Access Restrict

Security group for access restriction. Tune it by using the SECURITY_GROUP_IDS environment variable.

The following YAML snippet illustrates the use of this environment variable:

# Set task role resource for the target task
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
  name: aws-nginx
spec:
  engineState: "active"
  annotationCheck: "false"
  chaosServiceAccount: litmus-admin
  experiments:
  - name: resource-access-restrict
    spec:
      components:
        env:
        - name: SECURITY_GROUP_IDS
          value: 'sg-390240912830921,sg-89834791828231'
        - name: REGION
          value: 'us-east-2'
        - name: TOTAL_CHAOS_DURATION
          VALUE: '60'

Rule Type

Rule type for access restriction. Tune it by using the RULE_TYPE environment variable.

The following YAML snippet illustrates the use of this environment variable:

# Set task role resource for the target task
apiVersion: litmuschaos.io/v1alpha1
kind: ChaosEngine
metadata:
  name: aws-nginx
spec:
  engineState: "active"
  annotationCheck: "false"
  chaosServiceAccount: litmus-admin
  experiments:
  - name: resource-access-restrict
    spec:
      components:
        env:
        - name: RULE_TYPE
          value: 'inbound'
        - name: SECURITY_GROUP_IDS
          value: 'sg-390240912830921,sg-89834791828231'
        - name: REGION
          value: 'us-east-2'
        - name: TOTAL_CHAOS_DURATION
          VALUE: '60'

Use cases​

Prerequisites​

Permissions required​