Core Track Guardrails-first chapter in core learning path.

Estimated Time

  • Reading: 20-25 min
  • Lab: 45-60 min
  • Quiz: 10-15 min

Prerequisites

Source Code References

  • develop/ Members

Sign in to view source code.

What You Will Produce

A reproducible lab result plus quiz verification and incident-safe operating evidence.

Chapter 12: Controlled Chaos

Incident Hook

An untested failure mode appears during on-call and responders improvise under stress. Mitigation order is unclear, evidence is fragmented, and rollback confidence is low. The outage lasts longer because recovery behavior was never rehearsed. Controlled chaos drills make failure response predictable before real incidents.

Observed Symptoms

What the team sees first:

  • a failure mode appears with no practiced response path
  • responders collect evidence late and inconsistently
  • uncertainty, not only outage duration, expands the blast radius

The missing ingredient is rehearsal under controlled scope.

Why This Chapter Exists

Production resilience is not proven in calm conditions. This chapter validates behavior under controlled failures with explicit blast-radius limits.

Scope

Failure classes in this chapter:

  • crash loop (/panic)
  • elevated 5xx (/status/500)
  • random pod termination (Chaos Monkey)

Implementation focus:

  • deterministic drills first
  • Chaos Monkey in develop with kill switch and strict target allowlist

Confusion Phase

Chaos feels useful precisely because it can create realistic pressure. That is also why teams are tempted to make it too broad.

The real question is:

  • are we testing one failure path clearly
  • or are we generating noise that no one can learn from

What AI Would Propose (Brave Junior)

  • “Run chaos in staging/production to test realism quickly.”
  • “Inject multiple failures at once for faster coverage.”
  • “Leave chaos schedule always enabled.”

Why this sounds reasonable:

  • faster validation in fewer runs
  • appears comprehensive

Why This Is Dangerous

  • uncontrolled environments increase blast radius beyond drill intent.
  • multi-failure injections destroy causal clarity during triage.
  • always-on chaos without windowing creates operational noise and fatigue.

Investigation

Treat drills like experiments, not spectacle.

Safe investigation sequence:

  1. define one failure type and one bounded target
  2. confirm kill switch, namespace scope, and time window
  3. capture metrics, traces, and logs during the drill
  4. compare the observed response path with the intended runbook

Containment

Containment is part of the drill:

  1. stop the injection if scope or impact becomes unclear
  2. execute the documented mitigation path
  3. verify service recovery with evidence
  4. end with one hardening action instead of “we survived”

Chaos Monkey (MVP)

The SafeOps baseline keeps the chaos workload in a dedicated develop pack with an explicit kill switch. The snapshot below shows the real CronJob wiring, scope limits, and default suspend state used for drills.

Develop chaos pack

Show the chaos configuration
  • flux/infrastructure/chaos/develop/cronjob.yaml
  • flux/infrastructure/chaos/develop/kustomization.yaml
  • flux/infrastructure/chaos/develop/role.yaml
  • flux/infrastructure/chaos/develop/rolebinding.yaml
  • flux/infrastructure/chaos/develop/serviceaccount.yaml

Safety controls:

  • namespace scope: develop only (RBAC Role in develop)
  • target scope: app=frontend or app=backend
  • schedule: every 15 minutes
  • window: UTC 10-16
  • kill switch: spec.suspend: true on CronJob (default)

STOP: Kill Switch First

Critical rule:

  • chaos is allowed only in develop
  • run only in bounded time window
  • produce evidence for every drill
  • if scope/time is unclear, keep spec.suspend: true

Guardrails That Stop It

  • Never run uncontrolled chaos in staging/production.
  • One failure injection per run.
  • Evidence-first triage: metrics -> traces -> logs.
  • Every drill must end with recovery verification and a hardening action.

Safe Workflow (Step-by-Step)

  1. Confirm kill switch state and target scope before starting any drill.
  2. Run one deterministic failure scenario in develop.
  3. Triage with metrics -> traces -> logs and execute documented mitigation.
  4. Verify recovery and capture scorecard evidence.
  5. Re-enable suspend/kill switch if schedule-based chaos is not actively required.

Lab Files

  • lab.md
  • runbook-game-day.md
  • scorecard.md
  • quiz.md

Handoff to Chapter 13 (AI Guardian)

Chaos Monkey emits structured log events in CronJob output. In Chapter 13, Guardian watchers consume these events and classify:

  • expected controlled disruption
  • unexpected collateral impact
  • escalation-required incident

System Context

This chapter proves whether the earlier guardrails survive pressure, not just documentation.

It hands directly into:

  • Chapter 10 for evidence collection during drills
  • Chapter 13 for incident normalization after noisy signals appear
  • Chapter 14 for turning rehearsed recovery into real on-call discipline

Done When

  • learner runs at least two controlled failure drills with evidence
  • learner enables/disables Chaos Monkey safely
  • learner captures one game-day scorecard with action items

Hands-On Materials

Labs, quizzes, and runbooks — available to course members.

  • Game Day Scorecard (Template) Members
  • Lab: Controlled Chaos with Safety Guardrails Members
  • Quiz: Chapter 12 (Controlled Chaos) Members
  • Runbook: Controlled Chaos Game Day Members
Sign In to Access Get Full Access