diff --git a/docs/chaos-engineering/use-harness-ce/infrastructures/custom-sa.md b/docs/chaos-engineering/use-harness-ce/infrastructures/custom-sa.md index de8a4ef3c82..9a46489d700 100644 --- a/docs/chaos-engineering/use-harness-ce/infrastructures/custom-sa.md +++ b/docs/chaos-engineering/use-harness-ce/infrastructures/custom-sa.md @@ -19,33 +19,259 @@ A service account is required in the Delegate YAML when Delegate is installed in In case the Delegate is deployed in a **centralized infrastructure** (and connected to the target cluster), service account is not required in the Delegate YAML because the Kubernetes connectors already have the role permissions, and Delegate only orchestrates the tasks. -## Attach a service account to the Delegate +## Distributed Delegate installed on Target Cluster By default, Delegate uses the **cluster admin** role. To limit the permissions for the Delegate, follow the steps below. -1. Remove the cluster role binding from the Delegate manifest, as shown in the diagram. +1. Create a dedicated namespace for Harness delegate during installation. For example `harness-delegate-ng`. - ![](./static/delegate/cluster.png) +2. Remove the cluster role binding from the Delegate manifest, as shown in the diagram. -2. Create a new service account for the Delegate (to which you can assign a role further). + ![](./static/delegate/cluster.png) + +3. Create a new service account for the Delegate (to which you can assign a role further) in the dedicated namespace where the Delegate is installed. Here, `chaos-delegate` refers to the name of the service account in the Delegate. -```yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: chaos-delegate - namespace: harness-delegate-ng -``` + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: chaos-delegate + namespace: harness-delegate-ng + ``` + +4. Attach the service account you created earlier to the Delegate YAML, as shown in the diagram. + + ![](./static/delegate/attach.png) -3. Attach the service account to the Delegate YAML, as shown in the diagram. +5. Apply the below RBAC to configure the permissions to create chaos runners (that is, transient pods). - ![](./static/delegate/attach.png) + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + namespace: harness-delegate-ng + name: chaos-runner-role + rules: + - apiGroups: + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - "" + resources: + - pods + - pods/log + - pods/exec + - secrets + - services + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: chaos-runner-rolebinding + namespace: harness-delegate-ng + subjects: + - kind: ServiceAccount + name: chaos-delegate + namespace: harness-delegate-ng + roleRef: + kind: Role + name: chaos-runner-role + apiGroup: rbac.authorization.k8s.io + ``` + +6. Create a cluster role that will be used later to onboard application namespaces. + + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: chaos-clusterrole + rules: + # Discovery permissions + - apiGroups: + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - watch + - list + - get + - apiGroups: + - "" + resources: + - pods + - replicationcontrollers + - services + - statefulsets + - nodes #(nodes and namespaces permission is required to create automatic network experiments) + - namespaces + verbs: + - watch + - list + - get + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - watch + - list + - get + # Chaos permissions + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - create + - delete + - get + - list + - apiGroups: + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - list + - get + - update + - apiGroups: + - "" + resources: + - replicationcontrollers + - services + verbs: + - get + - list + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - list + - get + - apiGroups: + - argoproj.io + resources: + - rollouts + verbs: + - list + - get + ``` + +7. If you wish to provide access to all namespaces, create a cluster role binding. + + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: chaos-rolebinding + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chaos-clusterrole + subjects: + - kind: ServiceAccount + name: chaos-delegate + namespace: harness-delegate-ng + ``` + + - Now, you can onboard a namespace by creating a role binding in the application namespace (For example, Onboarding app1, app2 and so on) + + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: chaos-rolebinding + namespace: app1 #for app2, provide namespace as app2 + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chaos-clusterrole + subjects: + - kind: ServiceAccount + name: chaos-delegate + namespace: harness-delegate-ng + ``` + +8. Create a Kubernetes connector using Delegate permissions. + + ![connector](./static/delegate/delegate-perms.png) + ![delegate setup](./static/delegate/delegate-setup.png) + + +9. Finally create the Kubernetes infrastructure using the Kubernetes connectors created in the step 8. + + ![](./static/delegate/setup-1.png) + ![](./static/delegate/setup-2.png) + +10. Edit the infrastructure you created in step 9 to provide the details of dedicated namespace that was created earlier. This is the namespaace where the chaos runner will be launched along with the Service Account to ensure that experiments run with relevant permissions. + + ![](./static/delegate/edit-infra-sa.png) + ### Permissions to manage Delegate resources -While using Harness Delegate, transient pods are created. Harness recommends you provide dedicated namespace for the transient resources. Delegte manages the resources, that require specific permissions in the dedicated namespace. +While using Harness Delegate, transient pods are created. Harness recommends you provide dedicated namespace for the transient resources. Delegate manages the resources, that require specific permissions in the dedicated namespace. ```yaml @@ -167,18 +393,19 @@ One of the use cases of enabling chaos in selected namespaces is to use one infr Execute the below one-time steps. -1. Create a Kubernetes cluster connector: A connector describes how the delegate communicates with the target cluster. +1. Create a Kubernetes cluster connector: A connector describes how the Delegate communicates with the target cluster. Two cases arise when a Delegate communicates with target cluster: -a. [When the target application and the delegate are running in the same cluster](#target-application-and-delegate-running-in-same-cluster). -b. [When the target application and the delegate are running on different clusters](#target-application-and-delegate-running-on-different-clusters). +a. [When the target application and the Delegate are running in the same cluster](#target-application-and-delegate-running-in-same-cluster). + +b. [When the target application and the Delegate are running on different clusters](#target-application-and-delegate-running-on-different-clusters). -#### Target application and delegate running in same cluster +#### Target Application and Delegate Running in Same Cluster After creating a Kubernetes cluster, follow the steps below: -1. Add permissions to manage the discovery and transient chaos pods in the delegate namespace (`harness-delegate-ng` in the example below). Harness recommends you keep the delegate and chaos infrastructure in the delegate namespace. +1. Add permissions to manage the discovery and transient chaos pods in the Delegate namespace (`harness-delegate-ng` in the example below). Harness recommends you keep the Delegate and chaos infrastructure in the Delegate namespace. ```yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -209,180 +436,236 @@ After creating a Kubernetes cluster, follow the steps below: apiGroup: rbac.authorization.k8s.io ``` -2. Create a Kubernetes cluster connector using the delegate permissions you added in the previous step. +2. Create a Kubernetes cluster connector using the Delegate permissions you added in the previous step. ![k8s connector](./static/delegate/k8s-con.png) -#### Target application and delegate running on different clusters +#### Target Application and Delegate Running on Different Clusters -1. Create a service account in the target cluster with the permissions mentioned below. These permissions allow the Harness chaos transient pods to be present in a dedicated namespace. Harness recommends you keep the delegate and chaos infrastructure in the delegate namespace. +The diagram below describes how the Harness environment and your (user) environment communicate with the help of Harness Delegate to execute chaos experiments. + + ![](./static/delegate/centralized-delegate.png) + +1. Create a service account in the target cluster with the permissions mentioned below. These permissions allow the Harness chaos transient pods to be present in a dedicated namespace. Harness recommends you keep the Delegate and chaos infrastructure in the Delegate namespace. +Also ensure the following are fulfilled: +- Delegate should be installed in your **centralised infrastructure**. +- Network connectivity between centralised infrastructure and target cluster infrastructure (where chaos runs) ```yaml apiVersion: v1 kind: ServiceAccount metadata: - name: targetclustersa - namespace: harness-delegate-ng + name: chaos-sa + namespace: harness-delegate-chaos # our recommendation is to create a dedicated namespace in the target cluster for delegate --- apiVersion: v1 kind: Secret metadata: - name: targetclustersa-secret - namespace: harness-delegate-ng + name: chaos-sa-secret + namespace: harness-delegate-chaos annotations: - kubernetes.io/service-account.name: targetclustersa + kubernetes.io/service-account.name: chaos-sa type: kubernetes.io/service-account-token --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - namespace: harness-delegate-ng - name: transient-pod-role + namespace: harness-delegate-chaos + name: chaosrunner-pod-role rules: - apiGroups: - - "*" + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - "" resources: - - "*" + - pods + - pods/log + - pods/exec + - secrets + - services + - configmaps verbs: - - "*" + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: tranisent-pod-rolebinding - namespace: harness-delegate-ng + name: chaosrunner-pod-rolebinding + namespace: harness-delegate-chaos subjects: - kind: ServiceAccount - name: targetclustersa - namespace: harness-delegate-ng + name: chaos-sa + namespace: harness-delegate-chaos roleRef: kind: Role - name: transient-pod-role + name: chaosrunner-pod-role apiGroup: rbac.authorization.k8s.io ``` 2. Create a Kubernetes cluster connector using service account based authentication. Obtain the master URL by executing the command `kubectl cluster-info` and get the service account token and secret from the Kubernetes secret. - ![k8s connector](./static/delegate/diff-cluster.png) - -3. Create Harness infrastructure definition using the same Kubernetes cluster connector. + ![k8s connector](./static/delegate/diff-cluster.png) -4. Create a cluster role and provide cluster-wide access or cluster role binding for selected namespaces using role binding, depending on your usage. You can use this configuration to onboard application namespaces. +3. Create a cluster role and provide cluster-wide access or cluster role binding for selected namespaces using role binding, depending on your usage. You can use this configuration to onboard application namespaces. To discover the resources and run chaos, use the permissions (described below) in each namespace. -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: agentless-model-clusterrole -rules: -# Discovery permissions -- apiGroups: - - apps - resources: - - deployments - - replicasets - - daemonsets - - statefulsets - verbs: - - watch - - list - - get -- apiGroups: - - "" - resources: - - pods - - replicationcontrollers - - services - - statefulsets - verbs: - - watch - - list - - get -- apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: - - watch - - list - - get -# Chaos permissions -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - create - - delete - - get - - list -- apiGroups: - - apps - resources: - - deployments - - replicasets - - daemonsets - - statefulsets - verbs: - - list - - get - - update -- apiGroups: - - "" - resources: - - replicationcontrollers - - services - verbs: - - get - - list -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - list - - get -- apiGroups: - - argoproj.io - resources: - - rollouts - verbs: - - list - - get -``` + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: chaos-clusterrole + rules: + # Discovery permissions + - apiGroups: + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - watch + - list + - get + - apiGroups: + - "" + resources: + - pods + - replicationcontrollers + - services + - statefulsets + - nodes + - namespaces #(nodes and namespace permissions are required to autocreate network experiments) + verbs: + - watch + - list + - get + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - watch + - list + - get + # Chaos permissions + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - create + - delete + - get + - list + - apiGroups: + - metrics.k8s.io + resources: + - pods + verbs: + - get + - list + - apiGroups: + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - list + - get + - update + - apiGroups: + - "" + resources: + - replicationcontrollers + - services + verbs: + - get + - list + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - list + - get + - apiGroups: + - argoproj.io + resources: + - rollouts + verbs: + - list + - get + ``` -5. You can onboard a namespace by creating a role binding in the application namespace (Onboarding `app1` namespace). +4. You can onboard a namespace by creating a role binding in the application namespace (Onboarding `app1` namespace). -```yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: agentless-model-rolebinding-app1 - namespace: app1 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: agentless-model-clusterrole -subjects: -- kind: ServiceAccount - name: targetclustersa - namespace: harness-delegate-n -``` + ```yaml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: agentless-model-rolebinding-app1 + namespace: app1 + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: agentless-model-clusterrole + subjects: + - kind: ServiceAccount + name: targetclustersa + namespace: harness-delegate-n + ``` :::info note - To onboard a new application namespace, create another role binding in the application namespace (Onboarding `app2` namespace, replace the `namepsace` field in the above YAML spec with `app2`.) @@ -406,228 +689,238 @@ subjects: - For the above setting to work, ensure you update the namespace and the service account in the Harness portal service discovery agent setting and chaos infrastructure settings. ::: +5. Create Harness infrastructure definition using the same Kubernetes cluster connector that was created in Step 2. + + ![infra setup 1](./static/delegate/setup-1.png) + + ![infra setup 2](./static/delegate/setup-2.png) + +6. Edit the infrastructure you created in step 5 to provide the details of the dedicated namespace that was created. This is the namespace where the chaos runner is launched along with the Service Account to ensure that experiments are executed with relevant permissions. + + ![service account used](./static/delegate/sa-3.png) + ### Case 2: One Infrastructure, One Namespace To use one infrastructure to execute multiple experiments in one namespace, follow the steps below. 1. Create a service account and role to execute chaos experiments, and ensure they are in the application namespace. -```yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: chaos-delegate - namespace: app3 ---- -apiVersion: v1 -kind: Secret -metadata: - name: chaos-delegate - namespace: app3 - annotations: - kubernetes.io/service-account.name: chaos-delegate -type: kubernetes.io/service-account-token ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: chaos-delegate - namespace: app3 -rules: -# Discovery management permissions -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list - - watch -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update -# Discovery process permissions -- apiGroups: - - apps - resources: - - deployments - - replicasets - - daemonsets - - statefulsets - verbs: - - watch - - list - - get -- apiGroups: - - "" - resources: - - pods - - replicationcontrollers - - services - - statefulsets - verbs: - - watch - - list - - get -- apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: - - watch - - list - - get -# Chaos management permissions -- apiGroups: - - "" - resources: - - pods - - secrets - - configmaps - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection -- apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection -- apiGroups: - - "" - resources: - - pods/log - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - get - - list - - create -- apiGroups: - - apps - resources: - - deployments - verbs: - - create - - delete - - get - - list - - patch - - update - - deletecollection -# Chaos execution permissions -- apiGroups: - - "" - resources: - - pods - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - create - - delete - - get - - list -- apiGroups: - - apps - resources: - - deployments - - replicasets - - daemonsets - - statefulsets - verbs: - - list - - get - - update -- apiGroups: - - "" - resources: - - replicationcontrollers - - services - verbs: - - get - - list -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: - - list - - get -- apiGroups: - - argoproj.io - resources: - - rollouts - verbs: - - list - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: chaos-delegate - namespace: app3 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: chaos-delegate -subjects: -- kind: ServiceAccount - name: chaos-delegate - namespace: app3 -``` + ```yaml + apiVersion: v1 + kind: ServiceAccount + metadata: + name: chaos-delegate + namespace: app3 + --- + apiVersion: v1 + kind: Secret + metadata: + name: chaos-delegate + namespace: app3 + annotations: + kubernetes.io/service-account.name: chaos-delegate + type: kubernetes.io/service-account-token + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: chaos-delegate + namespace: app3 + rules: + # Discovery management permissions + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + # Discovery process permissions + - apiGroups: + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - watch + - list + - get + - apiGroups: + - "" + resources: + - pods + - replicationcontrollers + - services + - statefulsets + verbs: + - watch + - list + - get + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - watch + - list + - get + # Chaos management permissions + - apiGroups: + - "" + resources: + - pods + - secrets + - configmaps + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - get + - list + - create + - apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - deletecollection + # Chaos execution permissions + - apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - create + - delete + - get + - list + - apiGroups: + - apps + resources: + - deployments + - replicasets + - daemonsets + - statefulsets + verbs: + - list + - get + - update + - apiGroups: + - "" + resources: + - replicationcontrollers + - services + verbs: + - get + - list + - apiGroups: + - apps.openshift.io + resources: + - deploymentconfigs + verbs: + - list + - get + - apiGroups: + - argoproj.io + resources: + - rollouts + verbs: + - list + - get + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: chaos-delegate + namespace: app3 + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chaos-delegate + subjects: + - kind: ServiceAccount + name: chaos-delegate + namespace: app3 + ``` 2. Create a Kubernetes cluster connector with the service account credentials. Obtain the master URL by executing the command `kubectl cluster-info` and get the service account token and secret from the Kubernetes secret. - ![same cluster](./static/delegate/same-cluster.png) + ![same cluster](./static/delegate/same-cluster.png) 3. Create Harness infrastructure definition using the same Kubernetes cluster connector. diff --git a/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/centralized-delegate.png b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/centralized-delegate.png new file mode 100644 index 00000000000..bc25618dd2f Binary files /dev/null and b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/centralized-delegate.png differ diff --git a/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/delegate-perms.png b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/delegate-perms.png new file mode 100644 index 00000000000..a9943e28f14 Binary files /dev/null and b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/delegate-perms.png differ diff --git a/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/delegate-setup.png b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/delegate-setup.png new file mode 100644 index 00000000000..748aceff97c Binary files /dev/null and b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/delegate-setup.png differ diff --git a/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/edit-infra-sa.png b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/edit-infra-sa.png new file mode 100644 index 00000000000..ea5d11c683b Binary files /dev/null and b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/edit-infra-sa.png differ diff --git a/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/sa-3.png b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/sa-3.png new file mode 100644 index 00000000000..4a300a01d8d Binary files /dev/null and b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/sa-3.png differ diff --git a/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/setup-1.png b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/setup-1.png new file mode 100644 index 00000000000..80d02da034b Binary files /dev/null and b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/setup-1.png differ diff --git a/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/setup-2.png b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/setup-2.png new file mode 100644 index 00000000000..5b9f6511ad9 Binary files /dev/null and b/docs/chaos-engineering/use-harness-ce/infrastructures/static/delegate/setup-2.png differ