Install Gremlin on OpenShift 4
Pre-requisites
Download authentication keys
Gremlin requires authentication during installation. You will need to download your Gremlin certificate key-pair in order to connect to your Gremlin team. With the key pair extracted to your local system, export the following variables into a local shell, supplying the appropriate values.
1export GREMLIN_TEAM_ID=11111111-1111-1111-1111111111112export GREMLIN_CLUSTER_ID=my-cluster3export PATH_TO_CERTIFICATE=/path/to/unzipped/cert.pem4export PATH_TO_PRIVATE_KEY=/path/to/unzipped/key.pem
Install Gremlin SELinux policy
As Openshift uses SELinux, Gremlin requires a custom SELinux policy to grant the minimal permissions needed. You can install either Using SSH, or Using Gremlin Machine Config Operator as documented below. Learn more about Gremlin's integration with SELinux on the policy's Github page. There are two methods to install the Gremlin SELinux Policy: Using SSH or Using Gremlin Machine Config Operator.
Using SSH
On every OpenShift node, run the following command to install the SELinux module
1curl -fsSL https://github.com/gremlin/selinux-policies/releases/download/v0.0.3/selinux-policies-v0.0.3.tar.gz -o selinux-policies-v0.0.3.tar.gz2tar xzf selinux-policies-v0.0.3.tar.gz3sudo semodule -i selinux-policies-v0.0.3/gremlin-openshift4.cil
Using Gremlin Machine Config Operator
Gremlin provides an open-source Machine Config Operator (MCO) for installing the Gremlin SELinux policy to Worker nodes using the Openshift 4 Command-Line Interface (CLI). The MCO files and instructions are available from the Gremlin Field Solutions GitHub repository.
Helm Installation
1oc new-project gremlin2helm repo add gremlin https://helm.gremlin.com/3helm install gremlin gremlin/gremlin \4 --namespace gremlin \5 --set gremlin.hostPID=true \6 --set gremlin.container.driver=crio-runc \7 --set gremlin.podSecurity.securityContextConstraints.create=true \8 --set gremlin.podSecurity.seccomp.enabled=true \9 --set gremlin.secret.managed=true \10 --set gremlin.secret.teamID=$GREMLIN_TEAM_ID \11 --set gremlin.secret.clusterID=$GREMLIN_CLUSTER_ID \12 --set-file gremlin.secret.certificate=$PATH_TO_CERTIFICATE \13 --set-file gremlin.secret.key=$PATH_TO_PRIVATE_KEY
Manual Installation
1oc new-project gremlin2mkdir gremlin-openshift43wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/chao-deployment.yaml4wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/chao-service-account.yaml5wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/daemonset.yaml6wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/gremlin-scc.yaml7wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/gremlin-seccomp-configmap.yaml8wget -P gremlin-openshift4/ https://k8s.gremlin.com/resources/gremlin-openshift4/v1/gremlin-service-account.yaml9oc create secret generic gremlin-team-cert \10 --from-literal=GREMLIN_TEAM_ID=$GREMLIN_TEAM_ID \11 --from-literal=GREMLIN_CLUSTER_ID=$GREMLIN_CLUSTER_ID \12 --from-file=gremlin.cert=$PATH_TO_CERTIFICATE \13 --from-file=gremlin.key=$PATH_TO_PRIVATE_KEY14oc create -f gremlin-openshift4/
Run Attacks
You can now run attacks on your cluster, including Kubernetes attacks.
Troubleshooting
Please check our OpenShift troubleshooting section for common issues and solutions.