A Steadybit discovery and attack implementation to inject faults into various Google Cloud / GCP services.
Learn about the capabilities of this extension in our Reliability Hub.
Environment Variable | Helm value | Meaning | Required | Default |
---|---|---|---|---|
STEADYBIT_EXTENSION_CREDENTIALS_KEYFILE_PATH |
gcp.credentialsKeyfilePath | To authorize using a JSON key file via location path (https://cloud.google.com/iam/docs/managing-service-account-keys) | false | Tries to get a client with default google apis |
STEADYBIT_EXTENSION_PROJECT_ID |
gcp.projectID | The Google Cloud Project ID to be used | true | |
STEADYBIT_EXTENSION_DISCOVERY_ATTRIBUTES_EXCLUDES_VM |
discovery.attributes.excludes.vm | List of Target Attributes which will be excluded during discovery. Checked by key equality and supporting trailing "*" | false |
The extension supports all environment variables provided by steadybit/extension-kit.
When installed as linux package this configuration is in/etc/steadybit/extension-gcp
.
Provide the credentials to authorize the extension to access the Google Cloud API. The extension supports two ways to provide the credentials:
Provide a JSON key file via the environment variable STEADYBIT_EXTENSION_CREDENTIALS_KEYFILE_PATH
and mount it to the extension.
Or create a secret with the key credentialsKeyfileJson
and provide the json there.
docker run \
--rm \
-p 8093 \
--name steadybit-extension-gcp \
-e STEADYBIT_EXTENSION_PROJECT_ID='YOUR_GCP_PROJECT_ID' \
-e STEADYBIT_EXTENSION_CREDENTIALS_KEYFILE_JSON='{ "type": "service_account".......' \
ghcr.io/steadybit/extension-gcp:latest
helm repo add steadybit-extension-gcp https://steadybit.github.io/extension-gcp
helm repo update
helm upgrade steadybit-extension-gcp \
--install \
--wait \
--timeout 5m0s \
--create-namespace \
--namespace steadybit-agent \
--set gcp.projectID=YOUR_GCP_PROJECT_ID \
--set gcp.credentialsKeyfilePath=PATH_TO_JSON_FILE \
steadybit-extension-gcp/steadybit-extension-gcp
Make sure to register the extension at the steadybit platform. Please refer to the documentation for more information.
To discover vm instances, the extension needs:
one of the following OAuth scopes:
https://www.googleapis.com/auth/compute.readonly
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/cloud-platform
In addition to any permissions specified on the fields above, authorization requires one or more of the following IAM permissions:
compute.acceleratorTypes.list
To find predefined roles that contain those permissions, see Compute Engine IAM Roles.
To attack vm instances, the extension needs:
one of the following OAuth scopes:
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/cloud-platform
In addition to any permissions specified on the fields above, authorization requires one or more of the following IAM permissions:
compute.instances.reset
compute.instances.stop
compute.instances.suspend
compute.instances.delete
To find predefined roles that contain those permissions, see Compute Engine IAM Roles.