Add Chaos Studio IPs as Authorized IPs on AKS
Overview
Azure Kubernetes Service lets you allow only certain IP ranges to reach a cluster. If you have enabled this option, Chaos Studio's AKS faults might fail, unless you authorize the IP addresses used by Chaos Studio for communication.
For example, if you try to run a Chaos Mesh fault on an AKS cluster with authorized IP ranges enabled, but Chaos Studio's IP addresses are not allowed, the experiment may fail with the time out error: The request was canceled due to the configured HttpClient.Timeout of 100 seconds elapsing
.
Authorizing IPs
There are several ways to resolve this:
- Use Chaos Studio's Service Tag to authorize the relevant IPs (preview)
- Use a PowerShell script to retrieve the IPs and add them automatically
- Retrieve and add the IPs manually
Use Service Tags with AKS preview feature
A service tag is a group of IP address prefixes that can be assigned to inbound and outbound rules for network security groups. It automatically handles updates to the group of IP address prefixes without any intervention. Since service tags primarily enable IP address filtering, service tags alone aren’t sufficient to secure traffic.
You can use a preview AKS feature to add Service Tags directly to the authorized IP ranges: Use Service Tags for API Server authorized IP ranges.
The relevant Service Tag is ChaosStudio
.
PowerShell Script
The following PowerShell script retrieves the IP addresses listed in the ChaosStudio
Service Tag and adds them to your AKS cluster's authorized IP ranges using the Azure CLI.
To use this script, copy and paste it into a new file and name it Add-KubernetesChaosStudioAuthorizedIPs.ps1
, then run the script using the commented instructions.
# Script to add Chaos Studio IPs to authorized IP range of AKS cluster.
# Run command .\Add-KubernetesChaosStudioAuthorizedIps.ps1 -subscriptionId "yourSubscriptionId" -resourceGroupName "yourResourceGroupName" -clusterName "yourAKSClusterName" -region "regionName"
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)]
[string]
$subscriptionId,
[Parameter(Mandatory=$true)]
[string]
$resourceGroupName,
[Parameter(Mandatory=$true)]
[string]
$clusterName,
[Parameter(Mandatory=$true)]
[string]
$region
)
# Get IP addresses for the Chaos Studio service tag using the Service Tag Discovery API.
try {
Write-Host "Getting IP addresses for the ChaosStudio service tag..." -ForegroundColor Yellow
$chaosStudioIps = $(az network list-service-tags --location $region --query "values[?contains(name, 'ChaosStudio')].properties.addressPrefixes[]" -o tsv)
} catch {
throw "Failed to retrieve IPs for Chaos Studio service tag from Service Tag Discovery API (https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#use-the-service-tag-discovery-api). Exception: $($_.Exception)"
}
# List IP addresses associated with the Chaos Studio service tag.
Write-Host "Chaos Studio IPs:"
$chaosStudioIps | ForEach-Object {
Write-Host "$_"
}
# Add Chaos Studio IPs to authorized IP range of AKS cluster.
try {
Write-Host "Adding Chaos Studio IPs to authorized IP range of AKS cluster '$clusterName' in resource group '$resourceGroupName' of subscription '$subscriptionId'." -ForegroundColor Yellow
az account set --subscription $subscriptionId
az aks update -g $resourceGroupName -n $clusterName --api-server-authorized-ip-ranges $($chaosStudioIps -join (","))
Write-Host "Successfully added Chaos Studio IPs to authorized IP range of AKS cluster '$clusterName' in resource group '$resourceGroupName' of subscription '$subscriptionId'." -ForegroundColor Yellow
} catch {
throw "Failed to add Chaos Studio IPs to authorized IP range of AKS cluster '$clusterName'. Exception: $($_.Exception)"
}
Manual addition
Learn how to limit AKS network access to a set of IP ranges here. You can obtain Chaos Studio's IP ranges by querying the ChaosStudio
service tag with the Service Tag Discovery API or downloadable JSON files.