Merge pull request #179563 from johnkemnetz/master

Add CLI version of AKS article

Author: denrea

.openpublishing.redirection.json

@@ -47460,6 +47460,11 @@
       "source_path_from_root": "/articles/chaos-studio/chaos-studio-tutorial-service-direct.md",
       "redirect_url": "/azure/chaos-studio/chaos-studio-tutorial-service-direct-portal",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/chaos-studio/chaos-studio-tutorial-aks.md",
+      "redirect_url": "/azure/chaos-studio/chaos-studio-tutorial-aks-portal",
+      "redirect_document_id": false
     }
   ]
 }

articles/chaos-studio/TOC.yml

@@ -43,7 +43,11 @@
     - name: CLI
       href: chaos-studio-tutorial-agent-based-cli.md
   - name: Create and run experiment - Chaos Mesh faults on AKS
-    href: chaos-studio-tutorial-aks.md
+    items:
+    - name: Portal
+      href: chaos-studio-tutorial-aks-portal.md
+    - name: CLI
+      href: chaos-studio-tutorial-aks-cli.md
   - name: Troubleshoot common issues
     href: troubleshooting.md
 - name: Reference

articles/chaos-studio/chaos-studio-fault-library.md

@@ -61,4 +61,4 @@ Chaos Studio encrypts all data by default. Chaos Studio only accepts input for s
 ## Next steps
 Now that you understand how to secure your chaos experiment you are ready to:
 - [Create and run your first experiment](chaos-studio-tutorial-service-direct-portal.md)
-- [Create and run your first Azure Kubernetes Service experiment](chaos-studio-tutorial-aks.md)
+- [Create and run your first Azure Kubernetes Service experiment](chaos-studio-tutorial-aks-portal.md)

articles/chaos-studio/chaos-studio-permissions-security.md

@@ -0,0 +1,211 @@
+---
+title: Create an experiment that uses an AKS Chaos Mesh fault using Azure Chaos Studio with the Azure CLI
+description: Create an experiment that uses an AKS Chaos Mesh fault with the Azure CLI
+author: johnkemnetz
+ms.topic: how-to
+ms.date: 11/11/2021
+ms.author: johnkem
+ms.service: chaos-studio
+ms.custom: template-how-to, ignite-fall-2021
+---
+
+# Create a chaos experiment that uses a Chaos Mesh fault with the Azure CLI
+
+You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this guide, you will cause periodic Azure Kubernetes Service pod failures on a namespace using a chaos experiment and Azure Chaos Studio. Running this experiment can help you defend against service unavailability when there are sporadic failures.
+
+Azure Chaos Studio uses [Chaos Mesh](https://chaos-mesh.org/), a free, open-source chaos engineering platform for Kubernetes to inject faults into an AKS cluster. Chaos Mesh faults are [service-direct](chaos-studio-tutorial-aks-portal.md) faults that require Chaos Mesh to be installed on the AKS cluster. These same steps can be used to set up and run an experiment for any AKS Chaos Mesh fault.
+
+## Prerequisites
+
+- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)] 
+- An AKS cluster. If you do not have an AKS cluster, you can [follow these steps to create one](../aks/kubernetes-walkthrough-portal.md).
+
+## Launch Azure Cloud Shell
+
+The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. 
+
+To open the Cloud Shell, just select **Try it** from the upper right corner of a code block. You can also open Cloud Shell in a separate browser tab by going to [https://shell.azure.com/bash](https://shell.azure.com/bash). Select **Copy** to copy the blocks of code, paste it into the Cloud Shell, and select **Enter** to run it.
+
+If you prefer to install and use the CLI locally, this tutorial requires Azure CLI version 2.0.30 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI]( /cli/azure/install-azure-cli).
+
+## Set up Chaos Mesh on your AKS cluster
+
+Before you can run Chaos Mesh faults in Chaos Studio, you need to install Chaos Mesh on your AKS cluster.
+
+1. Run the following commands in an [Azure Cloud Shell](../cloud-shell/overview.md) window where you have the active subscription set to be the subscription where your AKS cluster is deployed. Replace `$RESOURCE_GROUP` and `$CLUSTER_NAME` with the resource group and name of your cluster resource.
+
+   ```azurecli-interactive
+   az aks get-credentials -g $RESOURCE_GROUP -n $CLUSTER_NAME
+   helm repo add chaos-mesh https://charts.chaos-mesh.org
+   helm repo update
+   kubectl create ns chaos-testing
+   helm install chaos-mesh chaos-mesh/chaos-mesh --namespace=chaos-testing --version 2.0.3 --set chaosDaemon.runtime=containerd --set chaosDaemon.socketPath=/run/containerd/containerd.sock
+   ```
+
+2. Verify that the Chaos Mesh pods are installed by running the following command:
+
+   ```azurecli-interactive
+   kubectl get po -n chaos-testing
+   ```
+
+You should see output similar to the following (a chaos-controller-manager and one or more chaos-daemons):
+
+```bash
+NAME                                        READY   STATUS    RESTARTS   AGE
+chaos-controller-manager-69fd5c46c8-xlqpc   1/1     Running   0          2d5h
+chaos-daemon-jb8xh                          1/1     Running   0          2d5h
+chaos-dashboard-98c4c5f97-tx5ds             1/1     Running   0          2d5h
+```
+
+You can also [use the installation instructions on the Chaos Mesh website](https://chaos-mesh.org/docs/production-installation-using-helm/).
+
+
+## Enable Chaos Studio on your AKS cluster
+
+Chaos Studio cannot inject faults against a resource unless that resource has been onboarded to Chaos Studio first. You onboard a resource to Chaos Studio by creating a [target and capabilities](chaos-studio-targets-capabilities.md) on the resource. AKS clusters only have one target type (service-direct), but other resources may have up to two target types - one for service-direct faults and one for agent-based faults. Each type of Chaos Mesh fault is represented as a capability (PodChaos, NetworkChaos, IOChaos, etc.).
+
+1. Create a target by replacing `$RESOURCE_ID` with the resource ID of the AKS cluster you are onboarding:
+
+    ```azurecli-interactive
+    az rest --method put --url "https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh?api-version=2021-09-15-preview" --body "{\"properties\":{}}"
+    ```
+
+2. Create the capabilities on the target by replacing `$RESOURCE_ID` with the resource ID of the AKS cluster you are onboarding and `$CAPABILITY` with the [name of the fault capability you are enabling](chaos-studio-fault-library.md).
+    
+    ```azurecli-interactive
+    az rest --method put --url "https://management.azure.com/$RESOURCE_ID/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh/capabilities/$CAPABILITY?api-version=2021-09-15-preview"  --body "{\"properties\":{}}"
+    ```
+
+    For example, if enabling the PodChaos capability:
+
+    ```azurecli-interactive
+    az rest --method put --url "https://management.azure.com/subscriptions/b65f2fec-d6b2-4edd-817e-9339d8c01dc4/resourceGroups/myRG/providers/Microsoft.ContainerService/managedClusters/myCluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh/capabilities/PodChaos-2.1?api-version=2021-09-15-preview"  --body "{\"properties\":{}}"
+    ```
+
+    This must be done for each capability you want to enable on the cluster.
+
+You have now successfully onboarded your AKS cluster to Chaos Studio.
+
+## Create an experiment
+With your AKS cluster now onboarded, you can create your experiment. A chaos experiment defines the actions you want to take against target resources, organized into steps, which run sequentially, and branches, which run in parallel.
+
+1. Create a Chaos Mesh jsonSpec:
+    1. Visit the Chaos Mesh documentation for a fault type, [for example, the PodChaos type](https://chaos-mesh.org/docs/simulate-pod-chaos-on-kubernetes/#create-experiments-using-yaml-configuration-files).
+    2. Formulate the YAML configuration for that fault type using the Chaos Mesh documentation.
+
+        ```yaml
+        apiVersion: chaos-mesh.org/v1alpha1
+        kind: PodChaos
+        metadata:
+          name: pod-failure-example
+          namespace: chaos-testing
+        spec:
+          action: pod-failure
+          mode: all
+          duration: '600s'
+          selector:
+            namespaces:
+              - default
+        ```
+    3. Remove any YAML outside of the `spec` (including the spec property name), and remove the indentation of the spec details.
+
+        ```yaml
+        action: pod-failure
+        mode: all
+        duration: '600s'
+        selector:
+          namespaces:
+            - default
+        ```
+    4. Use a [YAML-to-JSON converter like this one](https://www.convertjson.com/yaml-to-json.htm) to convert the Chaos Mesh YAML to JSON and minimize it.
+
+        ```json
+        {"action":"pod-failure","mode":"all","duration":"600s","selector":{"namespaces":["default"]}}
+        ```
+    5. Use a [JSON string escape tool like this one](https://www.freeformatter.com/json-escape.html) to escape the JSON spec.
+    
+        ```json
+        {\"action\":\"pod-failure\",\"mode\":\"all\",\"duration\":\"600s\",\"selector\":{\"namespaces\":[\"default\"]}}
+        ```
+
+2. Create your experiment JSON starting with the JSON sample below. Modify the JSON to correspond to the experiment you want to run using the [Create Experiment API](/rest/api/chaosstudio/experiments/create-or-update), the [fault library](chaos-studio-fault-library.md), and the jsonSpec created in the previous step.
+
+    ```json
+    {
+      "location": "centralus",
+      "identity": {
+        "type": "SystemAssigned"
+      },
+      "properties": {
+        "steps": [
+          {
+            "name": "AKS pod kill",
+            "branches": [
+              {
+                "name": "AKS pod kill",
+                "actions": [
+                  {
+                    "type": "continuous",
+                    "selectorId": "Selector1",
+                    "duration": "PT10M",
+                    "parameters": [
+                      {
+                          "key": "jsonSpec",
+                          "value": "{\"action\":\"pod-failure\",\"mode\":\"all\",\"duration\":\"600s\",\"selector\":{\"namespaces\":[\"default\"]}}"
+                      }
+                    ],
+                    "name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:podChaos/2.1"
+                  }
+                ]
+              }
+            ]
+          }
+        ],
+        "selectors": [
+          {
+            "id": "Selector1",
+            "type": "List",
+            "targets": [
+              {
+                "type": "ChaosTarget",
+                "id": "/subscriptions/b65f2fec-d6b2-4edd-817e-9339d8c01dc4/resourceGroups/myRG/providers/Microsoft.ContainerService/managedClusters/myCluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh"
+              }
+            ]
+          }
+        ]
+      }
+    }
+    ```
+    
+2. Create the experiment using the Azure CLI, replacing `$SUBSCRIPTION_ID`, `$RESOURCE_GROUP`, and `$EXPERIMENT_NAME` with the properties for your experiment. Make sure you have saved and uploaded your experiment JSON and update `experiment.json` with your JSON filename.
+
+    ```azurecli-interactive
+    az rest --method put --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME?api-version=2021-09-15-preview --body @experiment.json
+    ```
+
+    Each experiment creates a corresponding system-assigned managed identity. Note of the `principalId` for this identity in the response for the next step.
+
+## Give experiment permission to your AKS cluster
+When you create a chaos experiment, Chaos Studio creates a system-assigned managed identity that executes faults against your target resources. This identity must be given [appropriate permissions](chaos-studio-fault-providers.md) to the target resource for the experiment to run successfully.
+
+Give the experiment access to your resource(s) using the command below, replacing `$EXPERIMENT_PRINCIPAL_ID` with the principalId from the previous step and `$RESOURCE_ID` with the resource ID of the target resource (in this case, the AKS cluster resource ID). Run this command for each resource targeted in your experiment. 
+
+```azurecli-interactive
+az role assignment create --role "Azure Kubernetes Cluster User Role" --assignee-object-id $EXPERIMENT_PRINCIPAL_ID --scope $RESOURCE_ID
+```
+
+## Run your experiment
+You are now ready to run your experiment. To see the impact, we recommend opening your AKS cluster overview and going to **Insights** in a separate browser tab. Live data for the **Active Pod Count** will show the impact of running your experiment.
+
+1. Start the experiment using the Azure CLI, replacing `$SUBSCRIPTION_ID`, `$RESOURCE_GROUP`, and `$EXPERIMENT_NAME` with the properties for your experiment.
+
+    ```azurecli-interactive
+    az rest --method post --uri https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Chaos/experiments/$EXPERIMENT_NAME/start?api-version=2021-09-15-preview
+    ```
+
+2. The response includes a status URL that you can use to query experiment status as the experiment runs.
+
+## Next steps
+Now that you have run an AKS Chaos Mesh service-direct experiment, you are ready to:
+- [Create an experiment that uses agent-based faults](chaos-studio-tutorial-agent-based-portal.md)
+- [Manage your experiment](chaos-studio-run-experiment.md)

articles/chaos-studio/chaos-studio-tutorial-aks-cli.md

@@ -1,6 +1,6 @@
 ---
-title: Create an experiment that uses an AKS Chaos Mesh fault with Azure Chaos Studio
-description: Create an experiment that uses an AKS Chaos Mesh fault
+title: Create an experiment that uses an AKS Chaos Mesh fault using Azure Chaos Studio with the Azure portal
+description: Create an experiment that uses an AKS Chaos Mesh fault with the Azure portal
 author: johnkemnetz
 ms.topic: how-to
 ms.date: 11/01/2021
@@ -9,11 +9,11 @@ ms.service: chaos-studio
 ms.custom: template-how-to, ignite-fall-2021
 ---
 
-# Create a chaos experiment that uses a Chaos Mesh fault to kill AKS pods
+# Create a chaos experiment that uses a Chaos Mesh fault to kill AKS pods with the Azure portal
 
 You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this guide, you will cause periodic Azure Kubernetes Service pod failures on a namespace using a chaos experiment and Azure Chaos Studio. Running this experiment can help you defend against service unavailability when there are sporadic failures.
 
-Azure Chaos Studio uses [Chaos Mesh](https://chaos-mesh.org/), a free, open-source chaos engineering platform for Kubernetes to inject faults into an AKS cluster. Chaos Mesh faults are [service-direct](chaos-studio-tutorial-aks.md) faults that require Chaos Mesh to be installed on the AKS cluster. These same steps can be used to set up and run an experiment for any AKS Chaos Mesh fault.
+Azure Chaos Studio uses [Chaos Mesh](https://chaos-mesh.org/), a free, open-source chaos engineering platform for Kubernetes to inject faults into an AKS cluster. Chaos Mesh faults are [service-direct](chaos-studio-tutorial-aks-portal.md) faults that require Chaos Mesh to be installed on the AKS cluster. These same steps can be used to set up and run an experiment for any AKS Chaos Mesh fault.
 
 ## Prerequisites
 

articles/chaos-studio/chaos-studio-tutorial-aks.md renamed to articles/chaos-studio/chaos-studio-tutorial-aks-portal.md

@@ -37,7 +37,7 @@ landingContent:
         - text: Create an experiment that uses an agent-based fault with Azure Chaos Studio
           url: chaos-studio-tutorial-agent-based-portal.md
         - text: Create an experiment that uses an AKS Chaos Mesh fault with Azure Chaos Studio
-          url: chaos-studio-tutorial-aks.md
+          url: chaos-studio-tutorial-aks-portal.md
 
   # Card
   - title: Reference

articles/chaos-studio/index.yml

@@ -56,7 +56,7 @@ Agent-based faults may fail for a variety of reasons related to missing prerequi
 
 ### AKS Chaos Mesh faults fail
 AKS Chaos Mesh faults may fail for a variety of reasons related to missing prerequisites:
-* Chaos Mesh must first be installed on the AKS cluster before using the AKS Chaos Mesh faults. Instructions can be found in the [Chaos Mesh faults on AKS tutorial](chaos-studio-tutorial-aks.md#set-up-chaos-mesh-on-your-aks-cluster).
+* Chaos Mesh must first be installed on the AKS cluster before using the AKS Chaos Mesh faults. Instructions can be found in the [Chaos Mesh faults on AKS tutorial](chaos-studio-tutorial-aks-portal.md#set-up-chaos-mesh-on-your-aks-cluster).
 * Chaos Mesh must be version 2.0.4 or greater. You can get the Chaos Mesh version by connecting to your AKS cluster and running `helm version chaos-mesh`.
 * Chaos Mesh must be installed with the namespace `chaos-testing`. Other namespace names for Chaos Mesh are not supported.
 * The Azure Kubernetes Service Cluster Admin role must be assigned to the system-assigned managed identity for the chaos experiment.