Chaos Dashboard

Chaos Dashboard is a one-step web UI for managing, designing, and monitoring chaos experiments on Chaos Mesh. This document provides a step-by-step introduction on how to use Chaos Dashboard.

Install Chaos Dashboard

Chaos Dashboard is installed by default after v1.2.0. You can run the following command to check the status of Chaos Dashboard Pod:

  1. # chaos-testing: the default namespace for installing Chaos Mesh
  2. kubectl get pod -n chaos-testing -l app.kubernetes.io/component=chaos-dashboard

Expected output:

  1. chaos-dashboard-b8767fbcd-46cnd 1/1 Running 0 31m

If you don’t get the Chaos Dashboard pod, you can add it by executing:

  1. helm upgrade chaos-mesh chaos-mesh/chaos-mesh --namespace=chaos-testing --set dashboard.create=true

Enable/Disable security mode

Chaos Dashboard supports a security mode, which requires users to login with a token generated by Kubernetes. Each token is linked to a service account. You can only perform operations within the scope as allowed by the role that is associated with the service account.

The security mode is enabled by default if you install via Helm. You can disable it by executing:

  1. helm upgrade chaos-mesh chaos-mesh/chaos-mesh --namespace=chaos-testing --set dashboard.securityMode=false

Note:

  • For actual testing scenarios, we strongly recommend that you enable the security mode.
  • The security mode is disabled if you install Chaos Mesh by install.sh, which is suitable for trying Chaos Mesh out.

Access Chaos Dashboard

A typical way to access Chaos Dashboard is to use kubectl port-forward:

  1. kubectl port-forward -n chaos-testing svc/chaos-dashboard 2333:2333

Now you should be able to access http://localhost:2333 in the browser.

Log In

By default, the security mode is enabled when using helm to install Chaos Mesh, and you will need to log in Chaos Dashboard with an account Name and Token. This section introduces how to create the account and the token. You can skip this step if you have disabled the security mode.

Create the account

Chaos Dashboard supports Role-Based Access Control (RBAC).

Note:

  • If you want to create the account later and start using Chaos Dashboard quickly, you can use the token of Chaos Mesh. Get the token by executing the command: kubectl -n chaos-testing describe secret $(kubectl -n chaos-testing get secret | grep chaos-controller-manager | awk '{print $1}'), and then you can go to Fill in directly.

To create the account:

  1. Create the Role. Here are sample role configurations that you can choose from and edit to meet your specific requirement. You need to save the configuration to an YAML file, and then use kubectl apply -f {YAML-File} to create it.

    • Cluster Manager

      This role has administrative permissions on chaos experiments under all namespaces in the Kubernetes cluster, including creating, updating, archiving, and viewing chaos experiments.

      Sample configuration file:

      1. kind: ClusterRole
      2. apiVersion: rbac.authorization.k8s.io/v1
      3. metadata:
      4. name: cluster-role-manager
      5. rules:
      6. - apiGroups: ['']
      7. resources: ['pods', 'namespaces']
      8. verbs: ['get', 'list', 'watch']
      9. - apiGroups:
      10. - chaos-mesh.org
      11. resources: ['*']
      12. verbs:
      13. - get
      14. - list
      15. - watch
      16. - create
      17. - update
      18. - patch
      19. - delete
  1. - **Cluster Viewer**
  2. This role has permission to view chaos experiments under all namespaces in the Kubernetes cluster.
  3. Sample configuration file:
  4. ```
  5. kind: ClusterRole
  6. apiVersion: rbac.authorization.k8s.io/v1
  7. metadata:
  8. name: cluster-role-viewer
  9. rules:
  10. - apiGroups: ['']
  11. resources: ['pods', 'namespaces']
  12. verbs: ['get', 'list', 'watch']
  13. - apiGroups:
  14. - chaos-mesh.org
  15. resources: ['*']
  16. verbs:
  17. - get
  18. - list
  19. - watch
  20. ```
  21. - **Namespace Manager**
  22. This role has administrative permissions on chaos experiments under a specified namespace in the Kubernetes cluster, including creating, updating, archiving, and viewing chaos experiments.
  23. The sample configuration file is as follows:
  24. ```
  25. kind: Role
  26. apiVersion: rbac.authorization.k8s.io/v1
  27. metadata:
  28. name: namespace-test-role-manager
  29. namespace: test
  30. rules:
  31. - apiGroups: ['']
  32. resources: ['pods', 'namespaces']
  33. verbs: ['get', 'list', 'watch']
  34. - apiGroups:
  35. - chaos-mesh.org
  36. resources: ['*']
  37. verbs:
  38. - get
  39. - list
  40. - watch
  41. - create
  42. - update
  43. - patch
  44. - delete
  45. ```
  46. - **Namespace Viewer**
  47. This role has access to the chaos experiment under a specified namespace in the Kubernetes cluster.
  48. Sample configuration file:
  49. ```
  50. kind: Role
  51. apiVersion: rbac.authorization.k8s.io/v1
  52. metadata:
  53. name: namespace-test-role-viewer
  54. namespace: test
  55. rules:
  56. - apiGroups: ['']
  57. resources: ['pods', 'namespaces']
  58. verbs: ['get', 'list', 'watch']
  59. - apiGroups:
  60. - chaos-mesh.org
  61. resources: ['*']
  62. verbs:
  63. - get
  64. - list
  65. - watch
  66. ```
  1. Create a ServiceAccount, and bind it with a specific Role. Refer to RBAC for more details. Here are sample configurations that you can choose from and edit to meet your specific requirement. You need to save the configuration to an YAML file, and then use kubectl apply -f {YAML-File} to create it.

    • Create a ServiceAccount and bind cluster role

      Create a ServiceAccount and bind it with the role Cluster Manager or Cluster Viewer.

      Sample configuration file:

      ``` kind: ServiceAccount apiVersion: v1 metadata: name: account-cluster-manager # use “account-cluster-viewer” for viewer namespace: chaos-testing

  1. ---
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: ClusterRoleBinding
  4. metadata:
  5. name: bind-cluster-manager # use "bind-cluster-viewer" for viewer
  6. subjects:
  7. - kind: ServiceAccount
  8. name: account-cluster-manager # use "account-cluster-viewer" for viewer
  9. namespace: chaos-testing
  10. roleRef:
  11. kind: ClusterRole
  12. name: cluster-role-manager # use "cluster-role-viewer" for viewer
  13. apiGroup: rbac.authorization.k8s.io
  14. ```
  15. - **Create a ServiceAccount and bind namespace role**
  16. Create a ServiceAccount and bind it with the role `Namespace Manager` or `Namespace Viewer`.
  17. Sample configuration file:
  18. ```
  19. kind: ServiceAccount
  20. apiVersion: v1
  21. metadata:
  22. name: account-namespace-test-manager # use "account-namespace-test-viewer" for viewer
  23. namespace: test
  24. ---
  25. apiVersion: rbac.authorization.k8s.io/v1
  26. kind: RoleBinding
  27. metadata:
  28. name: bind-namespace-test-manager # use "bind-namespace-test-viewer" for viewer
  29. namespace: test
  30. subjects:
  31. - kind: ServiceAccount
  32. name: account-namespace-test-manager # use "account-namespace-test-viewer" for viewer
  33. namespace: test
  34. roleRef:
  35. kind: Role
  36. name: namespace-test-role-manager # use "namespace-test-role-viewer" for viewer
  37. apiGroup: rbac.authorization.k8s.io
  38. ```

Get the token

The token is generated by Kubernetes. To get a token for the ServiceAccount created above, run command below:

  1. kubectl -n ${namespace} describe secret $(kubectl -n ${namespace} get secret | grep ${service-account-name} | awk '{print $1}')

Note:

  • You need to replace the ${namespace} and ${service-account-name} with the actual value. For example, executing command kubectl -n chaos-testing describe secret $(kubectl -n chaos-testing get secret | grep cluster-role-manager | awk '{print $1}') to get the token of cluster-role-manager.

Refer to getting-a-bearer-token for more details.

Fill in

With the token generated, you need to identify it with a Name. A meaningful name is recommended, for example, Cluster-Manager, to indicate that the token has permissions managed chaos experiments in the cluster.

Fill in the form with Name and Token:

dashboard-login

Create a chaos experiment

To create a chaos experiment on Chaos Dashboard:

  1. Click the NEW EXPERIMENT button to create a new chaos experiment:

    dashboard-new-experiment

  2. Configure the chaos experiment, including the experiment type, name, scheduling information, etc.

    dashboard-fill-experiment

Manage a chaos experiment

To manage a specific chaos experiment:

  1. Click the Experiments button to view all the chaos experiments.

    dashboard-experiments

  2. Choose the target experiment to view the detail, archive, pause or update.

    dashboard-experiment-detail

Quick glance

Through the steps just now, you already know how to create an experiment and view its detail. But this is only one of the main features of the dashboard.

Next, you can click the TUTORIAL button on the homepage to learn about all the features of the dashboard.

dashboard-home

Manage existing tokens

To create and manage existing tokens:

dashboard-settings

Note:

If dashboard.securityMode=false is set, this section will be invisible.