# Installing Chaos Mesh


[Chaos Mesh](https://chaos-mesh.org/) is an open-source platform that you can use to simulate various failures and faults in your Kubernetes clusters. You can perform simulation at different development and testing stages, as well as after release. You can use Chaos Mesh to detect and eliminate potential threats and set up security policies, e.g., using [Kyverno](kyverno.md).

{% note warning %}

Check fault scenarios on a test cluster first to avoid compromising the performance of the main cluster.

{% endnote %}

## Getting started {#before-you-begin}

1. [Create](../kubernetes-cluster/kubernetes-cluster-create.md) a Managed Service for Kubernetes cluster.
1. [Create a node group](../node-group/node-group-create.md) with at least 14 GB of RAM.
1. [Make sure](../connect/security-groups.md) the security groups for the Managed Service for Kubernetes cluster and its node groups are configured correctly. If a rule is missing, [add it](../../../vpc/operations/security-group-add-rule.md).

    {% note warning %}
    
    The configuration of security groups determines performance and availability of the cluster and the services and applications running in it.
    
    {% endnote %}

## Installation from Yandex Cloud Marketplace {#marketplace-install}

1. In the [management console](https://console.yandex.cloud), select a folder.
1. Navigate to **Managed Service for&nbsp;Kubernetes**.
1. Click the name of the [Managed Service for Kubernetes cluster](../../concepts/index.md#kubernetes-cluster) you need and select the ![image](../../../_assets/console-icons/shopping-cart.svg) **Marketplace** tab.
1. Under **Application available for installation**, select [Chaos Mesh with Yandex Cloud support](https://yandex.cloud/en/marketplace/products/yc/chaos-mesh) and click **Go to install**.
1. Configure the application:

   * **Namespace**: Create a new [namespace](../../concepts/index.md#namespace), e.g., `chaos-mech-space`. If you leave the default namespace, Chaos Mesh may work incorrectly.
   * **Application name**: Specify the application name.

1. Click **Install**.
1. Wait for the application status to change to `Deployed`.

## Installation using a Helm chart {#helm-install}

1. [Install Helm](https://helm.sh/docs/intro/install/) v3.8.0 or higher.
1. [Install kubect](https://kubernetes.io/docs/tasks/tools/install-kubectl) and [configure it to work with the new cluster](../connect/index.md#kubectl-connect).

1. To install a [Helm chart](https://helm.sh/docs/topics/charts/) with Chaos Mesh, run this command:

   ```bash
   helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/chaos-mesh/chart/chaos-mesh \
     --version 2.8.0 \
     --untar && \
   helm install \
     --namespace <namespace> \
     --create-namespace \
     chaos-mesh ./chaos-mesh/
   ```

   If you set `namespace` to the default namespace, Chaos Mesh may work incorrectly. We recommend specifying a value different from all the existing namespaces, e.g., `chaos-mesh-space`.

   {% note info %}
   
   If you are using a Helm version below 3.8.0, add the `export HELM_EXPERIMENTAL_OCI=1 && \` string at the beginning of the command to enable [Open Container Initiative](https://opencontainers.org/) (OCI) support in the Helm client.
   
   {% endnote %}

You can check the current version of the Helm chart on the [application page](https://yandex.cloud/en/marketplace/products/yc/chaos-mesh#docker-images).

## Chaos Mesh web interface and authorization {#interface-and-authorization}

Once you install Chaos Mesh, use its web interface to go through the authorization process. Proceed as follows:

1. [Connect to your cluster](../connect/index.md#kubectl-connect).
1. Forward the `http://localhost:8080` URL to the Chaos Mesh web interface:

   ```bash
   kubectl port-forward service/chaos-dashboard 8080:2333 \
      --namespace <namespace>
   ```

   In the command, specify the namespace you selected when installing the application.

   Result:

   ```text
   Forwarding from 127.0.0.1:8080 -> 2333
   Forwarding from [::1]:8080 -> 2333
   ```

1. In your browser, go to [http://localhost:8080](http://localhost:8080). This will open the authorization window of the Chaos Mesh web interface.
1. To log in, you need a Kubernetes account and token. Get them using one of the two methods:

   * [Create an account and token](https://chaos-mesh.org/docs/manage-user-permissions/) for Chaos Mesh. For the account, you can set up access permissions in a specific namespace.
   * For Kubernetes clusters 1.24 or higher, use a Kubernetes service account and create a token for it:

      1. View a list of available Kubernetes service accounts:

         ```bash
         kubectl get serviceAccounts
         ```

         Each account has its own access permissions.

      1. Select the account you need and create a token:

         ```bash
         kubectl create token <account_name>
         ```

## Working with Yandex Cloud resources {#yandex-cloud-resources}

The application features the `YCChaos` scenario for simulation of VM node failures, e.g., restarts or stops. You can use it to test cloud-dependent systems for fault tolerance.

For example, to use `YCChaos` to simulate a VM node restart:

1. [Create a service account](../../../iam/operations/sa/create.md) and [assign](../../../iam/operations/sa/assign-role-for-sa.md) it the `compute.operator` role.
1. [Issue an authorized key](../../../iam/operations/authentication/manage-authorized-keys.md#create-authorized-key) and save it to a file named `sa-key.json`.
1. Create a namespace named `chaos-testing`.
1. Create a Kubernetes secret based on the authorized key you created:

   ```shell
   kubectl create secret generic yc-sa-secret \
       --from-file=sa-key.json=./sa-key.json \
       -n chaos-testing
   ```

1. Save the workflow example with the `YCChaos` scenario to the `chaos.yaml` file:

   ```yaml
   apiVersion: chaos-mesh.org/v1alpha1
   kind: Workflow
   metadata:
     name: yc-random-batch
     namespace: chaos-testing
   spec:
     entry: parallel
     templates:
     - name: parallel
       templateType: Parallel
       children: [yc-1, yc-2]

     - name: yc-1
       templateType: YCChaos
       deadline: 5m
       ycChaos:
         action: compute-restart
         computeInstance: <VM_1_ID>
         secretName: yc-sa-secret

     - name: yc-2
       templateType: YCChaos
       deadline: 5m
       ycChaos:
         action: compute-restart
         computeInstance: <VM_2_ID>
         secretName: yc-sa-secret
   ```

   Description of available `YCChaos` fields:

   * `action`: Action to execute. Possible values: `compute-stop` to stop the VM or `compute-restart` to restart. The default value is `compute-stop`.
   * `computeInstance`: ID of the VM used to orchestrate the scenario.
   * `duration`: Scenario duration. This is an optional field.
   * `remoteCluster`: Cluster to run the scenario in. This is an optional field.
   * `secretName`: Name of the Kubernetes secret containing the authorized key of the service account running the scenario.

1. Create a workflow using this command:

   ```shell
   kubectl apply -f chaos.yaml
   ```

1. Make sure the specified VMs restart after you create the workflow.

   You can view the workflow results in the [Chaos Mesh web interface](#interface-and-authorization).

{% note info %}

You can experiment with the `YCChaos` scenario directly in the Chaos Mesh web interface.

{% endnote %}

## See also {#see-also}

* [Chaos Mesh documentation](https://chaos-mesh.org/docs/)