Add an example how to install and operate chaoskube in particular namespace

[przemolb]

Hello,

I'd like to install chaoskube in particular namespace and give it a right to kill pods only in this namespace. Do you have an example (deployment + RBAC) for that ?

[linki]

Hi @przemolb,

This is currently not fully working.chaoskube needs to have at least "read pods" access to all namespaces due to the way it's currently implemented. It won't read or touch anything in other namespaces but if you don't grant permission it will fail.

Please follow #92 for a fully working solution.

The current way to do it is the following:

Start chaoskube with the correct namespace filter:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: chaoskube
...
spec:
...
      containers:
      - name: chaoskube
        image: quay.io/linki/chaoskube:v0.18.0
        args:
        - --namespaces=my-namespace
...

Grant chaoskube global "read pods" permission.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: chaoskube
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]

Grant chaoskube "delete-pods" and "create-events" permission in your namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: chaoskube
  namespace: my-namespace
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["delete"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create"]

[linki]

chaoskube v0.27.0 can now be run while limiting RBAC permissions to a single namespace. Please checkout #399 (comment) for instructions how to use it.