Infrastructure Layer

Install Gremlin on OpenShift 4

Pre-requisites

Download Authentication Keys

Gremlin requires authentication during installation. You will need to download your Gremlin certificate key-pair in order to connect to your Gremlin team. With the key pair extracted to your local system, export the following variables into a local shell, supplying the appropriate values.

shell

1export GREMLIN_TEAM_ID=11111111-1111-1111-111111111111
2export GREMLIN_CLUSTER_ID=my-cluster
3export PATH_TO_CERTIFICATE=/path/to/unzipped/cert.pem
4export PATH_TO_PRIVATE_KEY=/path/to/unzipped/key.pem

Install Gremlin SELinux Policy

As Openshift uses SELinux, Gremlin requires a custom SELinux policy to grant the minimal permissions needed. Find out more about Gremlin's integration with SELinux on the policy's Github page

On every OpenShift node, run the following command to install the SELinux module

shell

1curl -fsSL https://github.com/gremlin/selinux-policies/releases/download/v0.0.2/selinux-policies-v0.0.2.tar.gz -o selinux-policies-v0.0.2.tar.gz
2tar xzf selinux-policies-v0.0.2.tar.gz
3sudo semodule -i selinux-policies-v0.0.2/gremlin-openshift4.cil

Helm Installation

If you do not wish to install with Helm, skip this section and use Manual Installation instead.

shell

1oc new-project gremlin
2helm repo add gremlin https://helm.gremlin.com/
3helm install gremlin gremlin/gremlin \
4    --namespace gremlin \
5    --set      gremlin.hostPID=true \
6    --set      gremlin.container.driver=crio-runc \
7    --set      gremlin.podSecurity.securityContextConstraints.create=true \
8    --set      gremlin.podSecurity.seccomp.enabled=true \
9    --set      gremlin.secret.managed=true \
10    --set      gremlin.secret.teamID=$GREMLIN_TEAM_ID \
11    --set      gremlin.secret.clusterID=$GREMLIN_CLUSTER_ID \
12    --set-file gremlin.secret.certificate=$PATH_TO_CERTIFICATE \
13    --set-file gremlin.secret.key=$PATH_TO_PRIVATE_KEY

Manual Installation

shell

1oc new-project gremlin
2mkdir gremlin-openshift4
3wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/chao-deployment.yaml
4wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/chao-service-account.yaml
5wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/daemonset.yaml
6wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/gremlin-scc.yaml
7wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/gremlin-seccomp-configmap.yaml
8wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/gremlin-service-account.yaml
9oc create secret generic gremlin-team-cert \
10    --from-literal=GREMLIN_TEAM_ID=$GREMLIN_TEAM_ID \
11    --from-literal=GREMLIN_CLUSTER_ID=$GREMLIN_CLUSTER_ID \
12    --from-file=gremlin.cert=$PATH_TO_CERTIFICATE \
13    --from-file=gremlin.key=$PATH_TO_PRIVATE_KEY
14oc create -f gremlin-openshift4/

Run Attacks

You can now run attacks on your cluster, including Kubernetes attacks.

Troubleshooting

Please check our OpenShift troubleshooting section for common issues and solutions.