Requirements:- Run controlled latency/abort experiments (percent-based, per-path/service)- Full observability (traces, metrics, logs) and correlation to injected faults- Safe rollout and automated/manual rollback- RBAC to restrict who can create experiments- Minimal blast radius, ability to mirror traffic for analysisDesign summary:- Use Istio VirtualService HTTP fault injection (delay/abort) with weighted routes for percent-based experiments.- Use DestinationRule subsets to target specific versions/instances.- Mirror subset traffic to a non-production shadow service for offline analysis.- Enforce Istio RBAC (AuthorizationPolicy + Kubernetes RBAC) so only SRE/chaos teams can apply fault injections.- Correlate faults by injecting a custom header and propagating trace IDs; enrich metrics and spans with an "experiment_id" tag.- Automate safe rollout with canary percentages, guardrails (Prometheus alerts on SLO violation) and an automated rollback controller.Example VirtualService fault injection (10% abort, 20% delay for a canary):yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: orders
spec:
hosts: ["orders.svc.cluster.local"]
http:
- match:
- uri:
prefix: /checkout
route:
- destination:
host: orders
subset: v1
weight: 80
- destination:
host: orders
subset: v2
weight: 20
fault:
abort:
httpStatus: 503
percent: 10
delay:
fixedDelay: 200ms
percent: 20
mirror:
host: orders-shadow
DestinationRule with subsets:yaml
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: orders-dr
spec:
host: orders
subsets:
- name: v1
labels: { version: "v1" }
- name: v2
labels: { version: "v2-canary" }
RBAC (restrict who can change VirtualServices):- Kubernetes RBAC: limit ability to update istio networking CRDs to group "sre-team".- Istio AuthorizationPolicy: restrict traffic-management endpoints (e.g., using Gatekeeper or admitting webhook) and require mTLS for admin paths.Observability and correlation:- Add experiment metadata: when creating an experiment, inject a header X-Experiment-ID and X-Fault-Type via EnvoyFilter or sidecar Envoy header manipulation for requests routed into the faulted subset. Ensure trace context (traceparent / x-request-id) is preserved.- Instrument services to read X-Experiment-ID and add as span attribute and a Prometheus label (use OpenTelemetry/OTLP exporters). Example span tag: experiment_id=<id>, fault_injected=true.- Metrics: create Prometheus recording rules and dashboards that slice latency/error-rate by experiment_id, subset, endpoint.- Tracing: configure Jaeger/Zipkin to include experiment_id in span tags so you can query traces affected by faults.Safe rollout & rollback:- Start with 0.1–1% traffic for destructive faults, higher for non-destructive latency.- Use short time-boxed windows (e.g., 10m) and observe SLOs (p99 latency, error-rate).- Automated guardrail: Prometheus alert fires if error-rate or latency breach threshold; a controller (Argo Rollouts/Flux/CD) watches alerts and reverts VirtualService to last known-good by applying stored YAML.- Maintain GitOps: experiments are created via PRs to a "chaos" repo requiring approvals; changes auto-applied only after policy checks.Additional safety:- Only run during low-risk windows or on dev/staging clusters; when in prod, require multi-person approval.- Use traffic mirroring to shadow production requests to a non-critical environment before injecting active faults.- Log all experiment actions centrally (audit logs) for postmortems.Trade-offs:- Envoy-level faults are fast and low-overhead but may not simulate every backend failure mode (e.g., resource exhaustion).- Mirroring increases load on shadow systems — provision accordingly.Why this works:- Istio VirtualService/fault injection provides precise per-route control.- DestinationRule subsets + weights enable canary percent control.- Header/trace enrichment ensures end-to-end observability and easy filtering.- RBAC + GitOps + automated guardrails provide safe, auditable, reversible experiments.