Infrastructure Layer

Install Gremlin on OpenShift 4

Pre-requisites

Download authentication keys

Gremlin requires authentication during installation. You will need to download your Gremlin certificate key-pair in order to connect to your Gremlin team. With the key pair extracted to your local system, export the following variables into a local shell, supplying the appropriate values.

shell
1export GREMLIN_TEAM_ID=11111111-1111-1111-111111111111
2export GREMLIN_CLUSTER_ID=my-cluster
3export PATH_TO_CERTIFICATE=/path/to/unzipped/cert.pem
4export PATH_TO_PRIVATE_KEY=/path/to/unzipped/key.pem

Install Gremlin SELinux policy

As Openshift uses SELinux, Gremlin requires a custom SELinux policy to grant the minimal permissions needed. You can install either Using SSH, or Using Gremlin Machine Config Operator as documented below. Learn more about Gremlin's integration with SELinux on the policy's Github page. There are two methods to install the Gremlin SELinux Policy: Using SSH or Using Gremlin Machine Config Operator.

Using SSH

On every OpenShift node, run the following command to install the SELinux module

shell
1curl -fsSL https://github.com/gremlin/selinux-policies/releases/download/v0.0.3/selinux-policies-v0.0.3.tar.gz -o selinux-policies-v0.0.3.tar.gz
2tar xzf selinux-policies-v0.0.3.tar.gz
3sudo semodule -i selinux-policies-v0.0.3/gremlin-openshift4.cil
Using Gremlin Machine Config Operator

Gremlin provides an open-source Machine Config Operator (MCO) for installing the Gremlin SELinux policy to Worker nodes using the Openshift 4 Command-Line Interface (CLI). The MCO files and instructions are available from the Gremlin Field Solutions GitHub repository.

Helm Installation

shell
1oc new-project gremlin
2helm repo add gremlin https://helm.gremlin.com/
3helm install gremlin gremlin/gremlin \
4 --namespace gremlin \
5 --set gremlin.hostPID=true \
6 --set gremlin.container.driver=crio-runc \
7 --set gremlin.podSecurity.securityContextConstraints.create=true \
8 --set gremlin.podSecurity.seccomp.enabled=true \
9 --set gremlin.secret.managed=true \
10 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \
11 --set gremlin.secret.clusterID=$GREMLIN_CLUSTER_ID \
12 --set-file gremlin.secret.certificate=$PATH_TO_CERTIFICATE \
13 --set-file gremlin.secret.key=$PATH_TO_PRIVATE_KEY

Manual Installation

shell
1oc new-project gremlin
2mkdir gremlin-openshift4
3wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/chao-deployment.yaml
4wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/chao-service-account.yaml
5wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/daemonset.yaml
6wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/gremlin-scc.yaml
7wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/gremlin-seccomp-configmap.yaml
8wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/gremlin-service-account.yaml
9oc create secret generic gremlin-team-cert \
10 --from-literal=GREMLIN_TEAM_ID=$GREMLIN_TEAM_ID \
11 --from-literal=GREMLIN_CLUSTER_ID=$GREMLIN_CLUSTER_ID \
12 --from-file=gremlin.cert=$PATH_TO_CERTIFICATE \
13 --from-file=gremlin.key=$PATH_TO_PRIVATE_KEY
14oc create -f gremlin-openshift4/

Run Attacks

You can now run attacks on your cluster, including Kubernetes attacks.

Troubleshooting

Please check our OpenShift troubleshooting section for common issues and solutions.