Manage User Permissions

Chaos Mesh uses the native features in Kubernetes to manage user roles and permissions. To create, view and manage Chaos experiments, users need to have the corresponding permissions in the of chaos-mesh.org to customize resources of Chaos experiments.

note

If Chaos Mesh is installed using Helm, permission authentication is enabled by default. For production environments and other scenarios with high security requirements, it is recommended to keep the permission authentication feature enabled. If you just want to give Chaos Mesh a try and quickly create Chaos experiments without enabling the permission authentication feature, you can refer to to learn how to disable the feature.

You can create user accounts and bind permissions directly through the Chaos Mesh Dashboard interface. When you access the Dashboard, a login window pops up. Click the link Click here to generate:

After you click the link, another window pops up as follows:

Dashboard Token Generator

The steps to create user accounts and bind permissions are as follows. You need to perform the first three of the following steps in the pop-up window:

  1. Choose the permission scope

    If you want to give the account the appropriate permissions for all Chaos experiments in Kubernetes, check the Cluster scoped box. If you specify a namespace in the Namespace dropdown option box, the account only has permissions in that specified namespace.

  2. Currently, Chaos Mesh provides the following user roles:

    • Manager, who has all permissions to create, view, update, and delete Chaos experiments.
    • Viewer, who has only the view permission for Chaos experiments.

  3. Create the user account and bind permissions

    Run the following command in your terminal:

  4. Generate the token

    Copy the command shown in the third step on the Token generator page and run the command in your terminal. The following is an example command:

    The output is as follows:

  5. Sign in to Chaos Mesh with the user account you have created

    Close the Token generator window and return to the login window. Enter the token that you have got from the previous step in the Token input box and enter a meaningful name for the token in the Name input box. It is recommended to use a name consisting of the permission scope and the user role, such as . Once you finish filling these two input boxes, click Submit to log in:

note

  • You need to ensure that the local user who executes kubectl has permissions for the cluster so that this user can create user accounts, bind permission for other users, and generate tokens.

If you need to replace the token with another, click the Settings button shown in the left side bar on the Dashboard web page:

Dashboard Token Logout

On the most top of the page, you can see the Logout button. Click the button to log out the current token.

If Chaos Mesh is installed using Helm, the permission authentication feature is enabled by default.For production environments and other scenarios with high security requirements, it is recommended to keep the permission authentication feature enabled.If you just want to give Chaos Mesh a try and quickly create Chaos experiments with the permission authentication feature disabled, you can set --set dashboard.securityMode=false in a Helm command. The command is as follows: