Chapter 11: Controlled Chaos

Why This Chapter Exists

Production resilience is not proven in calm conditions. This chapter validates behavior under controlled failures with explicit blast-radius limits.

Scope

Failure classes in this chapter:

  • crash loop (/panic)
  • elevated 5xx (/status/500)
  • random pod termination (Chaos Monkey)

Implementation focus:

  • deterministic drills first
  • Chaos Monkey in develop with kill switch and strict target allowlist

Chaos Monkey (MVP)

Flux path:

Safety controls:

  • namespace scope: develop only (RBAC Role in develop)
  • target scope: app=frontend or app=backend
  • schedule: every 15 minutes
  • window: UTC 10-16
  • kill switch: spec.suspend: true on CronJob (default)

Guardrails

  • Never run uncontrolled chaos in staging/production.
  • One failure injection per run.
  • Evidence-first triage: metrics -> traces -> logs.
  • Every drill must end with recovery verification and a hardening action.

Lab Files

  • lab.md
  • runbook-game-day.md
  • scorecard.md
  • quiz.md

Handoff to Chapter 12 (AI Guardian)

Chaos Monkey emits structured log events in CronJob output. In Chapter 12, Guardian watchers consume these events and classify:

  • expected controlled disruption
  • unexpected collateral impact
  • escalation-required incident

Done When

  • learner runs at least two controlled failure drills with evidence
  • learner enables/disables Chaos Monkey safely
  • learner captures one game-day scorecard with action items

Game Day Scorecard (Template)

Game Day Scorecard (Template) Date: Environment: Scenario: Driver: Incident Commander: Observer: Detection First symptom timestamp: Detection signal: MTTD (minutes): Triage Representative trace id: Correlated log …

Lab: Controlled Chaos with Safety Guardrails

confirm detection run incident workflow verify recovery Prerequisites kubectl -n flux-system get kustomization chaos-monkey-develop kubectl -n develop get deploy frontend backend kubectl -n observability get …

Quiz: Chapter 11 (Controlled Chaos)

Which CronJob field is the primary kill switch for Chaos Monkey? In this repo, what target app labels are allowed for monkey pod deletion? Which incident flow is required before mitigation decisions? Which statement is …

Runbook: Controlled Chaos Game Day

Roles Incident Commander: owns decision flow Driver: executes injection commands Observer: records timeline and evidence Preflight (Required) Confirm environment is develop. Confirm rollback path is known. Confirm …