chore(rbac): Adding minimal rbac permissions with comments description (#513)

* chore(rbac): Adding minimal rbac permissions with comments description

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>

* chore(chart): Adding minimal rbac permissions in charts

Signed-off-by: shubham chaudhary <shubham@chaosnative.com>

charts/aws-ssm/aws-ssm-chaos-by-id/experiment.yaml

@@ -14,28 +14,34 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "events"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "pods/exec"
+      - apiGroups: [""]
-          - "secrets"
+        resources: ["secrets","configmaps"]
-          - "configmaps"
+        verbs: ["get","list",]
-          - "chaosengines"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosexperiments"
+      - apiGroups: [""]
-          - "chaosresults"
+        resources: ["pods/log"]
-        verbs:
+        verbs: ["get","list","watch"]  
-          - "create"
+      # for creating and managing to execute comands inside target container
-          - "list"
+      - apiGroups: [""]
-          - "get"
+        resources: ["pods/exec"]
-          - "patch"
+        verbs: ["get","list","create"]
-          - "update"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - "delete"
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/aws-ssm/aws-ssm-chaos-by-id/rbac.yaml

@@ -16,18 +16,34 @@ metadata:
     name: aws-ssm-chaos-by-id-sa
     app.kubernetes.io/part-of: litmus
 rules:
+# Create and monitor the experiment & helper pods
 - apiGroups: [""]
-  resources: ["pods","events","secrets","configmaps"]
+  resources: ["pods"]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+  verbs: ["create","delete","get","list","patch","update", "deletecollection"]
+# Performs CRUD operations on the events inside chaosengine and chaosresult
 - apiGroups: [""]
-  resources: ["pods/exec","pods/log"]
+  resources: ["events"]
-  verbs: ["create","list","get"]
+  verbs: ["create","get","list","patch","update"]
+# Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
+- apiGroups: [""]
+  resources: ["secrets","configmaps"]
+  verbs: ["get","list",]
+# Track and get the runner, experiment, and helper pods log 
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get","list","watch"]  
+# for creating and managing to execute comands inside target container
+- apiGroups: [""]
+  resources: ["pods/exec"]
+  verbs: ["get","list","create"]
+# for configuring and monitor the experiment job by the chaos-runner pod
 - apiGroups: ["batch"]
   resources: ["jobs"]
   verbs: ["create","list","get","delete","deletecollection"]
+# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
 - apiGroups: ["litmuschaos.io"]
   resources: ["chaosengines","chaosexperiments","chaosresults"]
-  verbs: ["create","list","get","patch","update"]
+  verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/aws-ssm/aws-ssm-chaos-by-tag/experiment.yaml

@@ -14,28 +14,34 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "events"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "pods/exec"
+      - apiGroups: [""]
-          - "secrets"
+        resources: ["secrets","configmaps"]
-          - "configmaps"
+        verbs: ["get","list",]
-          - "chaosengines"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosexperiments"
+      - apiGroups: [""]
-          - "chaosresults"
+        resources: ["pods/log"]
-        verbs:
+        verbs: ["get","list","watch"]  
-          - "create"
+      # for creating and managing to execute comands inside target container
-          - "list"
+      - apiGroups: [""]
-          - "get"
+        resources: ["pods/exec"]
-          - "patch"
+        verbs: ["get","list","create"]
-          - "update"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - "delete"
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/aws-ssm/aws-ssm-chaos-by-tag/rbac.yaml

@@ -16,18 +16,34 @@ metadata:
     name: aws-ssm-chaos-by-tag-sa
     app.kubernetes.io/part-of: litmus
 rules:
+# Create and monitor the experiment & helper pods
 - apiGroups: [""]
-  resources: ["pods","events","secrets","configmaps"]
+  resources: ["pods"]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+  verbs: ["create","delete","get","list","patch","update", "deletecollection"]
+# Performs CRUD operations on the events inside chaosengine and chaosresult
 - apiGroups: [""]
-  resources: ["pods/exec","pods/log"]
+  resources: ["events"]
-  verbs: ["create","list","get"]
+  verbs: ["create","get","list","patch","update"]
+# Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
+- apiGroups: [""]
+  resources: ["secrets","configmaps"]
+  verbs: ["get","list",]
+# Track and get the runner, experiment, and helper pods log 
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get","list","watch"]  
+# for creating and managing to execute comands inside target container
+- apiGroups: [""]
+  resources: ["pods/exec"]
+  verbs: ["get","list","create"]
+# for configuring and monitor the experiment job by the chaos-runner pod
 - apiGroups: ["batch"]
   resources: ["jobs"]
   verbs: ["create","list","get","delete","deletecollection"]
+# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
 - apiGroups: ["litmuschaos.io"]
   resources: ["chaosengines","chaosexperiments","chaosresults"]
-  verbs: ["create","list","get","patch","update"]
+  verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/azure/azure-disk-loss/experiment.yaml

@@ -14,31 +14,34 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups: 
+      # Create and monitor the experiment & helper pods
-          - "" 
+      - apiGroups: [""]
-          - "batch" 
+        resources: ["pods"]
-          - "apps" 
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "litmuschaos.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-        resources: 
+      - apiGroups: [""]
-          - "jobs" 
+        resources: ["events"]
-          - "pods" 
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log" 
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "events" 
+      - apiGroups: [""]
-          - "deployments" 
+        resources: ["secrets","configmaps"]
-          - "replicasets" 
+        verbs: ["get","list",]
-          - "pods/exec" 
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosengines" 
+      - apiGroups: [""]
-          - "chaosexperiments" 
+        resources: ["pods/log"]
-          - "chaosresults"
+        verbs: ["get","list","watch"]  
-          - "secrets"
+      # for creating and managing to execute comands inside target container
-        verbs: 
+      - apiGroups: [""]
-          - "create" 
+        resources: ["pods/exec"]
-          - "list" 
+        verbs: ["get","list","create"]
-          - "get" 
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - "patch" 
+      - apiGroups: ["batch"]
-          - "update" 
+        resources: ["jobs"]
-          - "delete" 
+        verbs: ["create","list","get","delete","deletecollection"]
-          - "deletecollection"
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/azure/azure-disk-loss/rbac.yaml

@@ -17,18 +17,34 @@ metadata:
     name: azure-disk-loss-sa
     app.kubernetes.io/part-of: litmus
 rules:
+  # Create and monitor the experiment & helper pods
   - apiGroups: [""]
-  resources: ["pods","events","secrets"]
+    resources: ["pods"]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
   - apiGroups: [""]
-    resources: ["pods/exec","pods/log"]
+    resources: ["events"]
-    verbs: ["create","list","get"]
+    verbs: ["create","get","list","patch","update"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
+  - apiGroups: [""]
+    resources: ["secrets","configmaps"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
   - apiGroups: ["batch"]
     resources: ["jobs"]
     verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
   - apiGroups: ["litmuschaos.io"]
     resources: ["chaosengines","chaosexperiments","chaosresults"]
-    verbs: ["create","list","get","patch","update"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/azure/azure-instance-stop/experiment.yaml

@@ -14,27 +14,34 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "events"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "pods/exec"
+      - apiGroups: [""]
-          - "secrets"
+        resources: ["secrets","configmaps"]
-          - "chaosengines"
+        verbs: ["get","list",]
-          - "chaosexperiments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosresults"
+      - apiGroups: [""]
-        verbs:
+        resources: ["pods/log"]
-          - "create"
+        verbs: ["get","list","watch"]  
-          - "list"
+      # for creating and managing to execute comands inside target container
-          - "get"
+      - apiGroups: [""]
-          - "patch"
+        resources: ["pods/exec"]
-          - "update"
+        verbs: ["get","list","create"]
-          - "delete"
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/azure/azure-instance-stop/rbac.yaml

@@ -16,18 +16,34 @@ metadata:
     name: azure-instance-stop-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["secrets","configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/cassandra/cassandra-pod-delete/experiment.yaml

@@ -14,31 +14,42 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "apps"
+        resources: ["pods"]
-          - "batch"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "litmuschaos.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-        resources:
+      - apiGroups: [""]
-          - "deployments"
+        resources: ["events"]
-          - "statefulsets"
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Create and manage the liveness and target application services
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["services"]
-          - "pods/exec"
+        verbs: ["create","delete","get","list", "deletecollection"]
-          - "services"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "events"
+      - apiGroups: [""]
-          - "chaosengines"
+        resources: ["secrets","configmaps"]
-          - "chaosexperiments"
+        verbs: ["get","list",]
-          - "chaosresults"
+      # Track and get the runner, experiment, and helper pods log 
-        verbs:
+      - apiGroups: [""]
-          - "create"
+        resources: ["pods/log"]
-          - "list"
+        verbs: ["get","list","watch"]  
-          - "get"
+      # for creating and managing to execute comands inside target container
-          - "patch"
+      - apiGroups: [""]
-          - "update"
+        resources: ["pods/exec"]
-          - "delete"
+        verbs: ["get","list","create"]
-          - "deletecollection"
+      # for deriving the parent/owner details of the pod   
+      - apiGroups: ["apps"]
+        resources: ["deployments","statefulsets"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/cassandra/cassandra-pod-delete/rbac.yaml

@@ -17,21 +17,42 @@ metadata:
     name: cassandra-pod-delete-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","services"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Create and manage the liveness and target application services
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets"]
+    resources: ["services"]
-  verbs: ["list","get"]
+    verbs: ["create","delete","get","list", "deletecollection"]
-- apiGroups: ["litmuschaos.io"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["secrets","configmaps"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for deriving the parent/owner details of the pod   
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/gcp/gcp-vm-disk-loss/experiment.yaml

@@ -14,28 +14,34 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups: 
+      # Create and monitor the experiment & helper pods
-          - "" 
+      - apiGroups: [""]
-          - "batch" 
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources: 
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs" 
+      - apiGroups: [""]
-          - "pods" 
+        resources: ["events"]
-          - "pods/log" 
+        verbs: ["create","get","list","patch","update"]
-          - "events" 
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "secrets" 
+      - apiGroups: [""]
-          - "pods/exec" 
+        resources: ["secrets","configmaps"]
-          - "chaosengines" 
+        verbs: ["get","list",]
-          - "chaosexperiments" 
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosresults"
+      - apiGroups: [""]
-        verbs: 
+        resources: ["pods/log"]
-          - "create" 
+        verbs: ["get","list","watch"]  
-          - "list" 
+      # for creating and managing to execute comands inside target container
-          - "get" 
+      - apiGroups: [""]
-          - "patch" 
+        resources: ["pods/exec"]
-          - "update" 
+        verbs: ["get","list","create"]
-          - "delete" 
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - "deletecollection"
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/gcp/gcp-vm-disk-loss/rbac.yaml

@@ -16,18 +16,34 @@ metadata:
     name: gcp-vm-disk-loss-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["secrets","configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/gcp/gcp-vm-instance-stop/experiment.yaml

@@ -14,29 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups: 
+      # Create and monitor the experiment & helper pods
-          - "" 
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources: 
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs" 
+      - apiGroups: [""]
-          - "pods" 
+        resources: ["events"]
-          - "pods/log" 
+        verbs: ["create","get","list","patch","update"]
-          - "events" 
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "secrets" 
+      - apiGroups: [""]
-          - "pods/exec" 
+        resources: ["secrets","configmaps"]
-          - "chaosengines" 
+        verbs: ["get","list",]
-          - "chaosexperiments" 
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosresults"
+      - apiGroups: [""]
-          - "nodes"
+        resources: ["pods/log"]
-        verbs: 
+        verbs: ["get","list","watch"]  
-          - "create" 
+      # for creating and managing to execute comands inside target container
-          - "list" 
+      - apiGroups: [""]
-          - "get" 
+        resources: ["pods/exec"]
-          - "patch" 
+        verbs: ["get","list","create"]
-          - "update" 
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - "delete" 
+      - apiGroups: ["batch"]
-          - "deletecollection"
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/gcp/gcp-vm-instance-stop/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: gcp-vm-instance-stop-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["secrets","configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/container-kill/experiment.yaml

@@ -13,37 +13,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "apps"
+        resources: ["pods"]
-          - "batch"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "events"
+        verbs: ["get","list",]
-          - "replicationcontrollers"
+      # Track and get the runner, experiment, and helper pods log 
-          - "deployments"
+      - apiGroups: [""]
-          - "statefulsets"
+        resources: ["pods/log"]
-          - "daemonsets"
+        verbs: ["get","list","watch"]  
-          - "replicasets"
+      # for creating and managing to execute comands inside target container
-          - "deploymentconfigs"
+      - apiGroups: [""]
-          - "rollouts"
+        resources: ["pods/exec"]
-          - "pods/exec"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "update"
+        verbs: ["list","get"]
-          - "patch"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/container-kill/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: container-kill-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]  
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]  
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/container-kill/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: container-kill-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/container-kill/rbac_nginx_getstarted.yaml

@@ -15,27 +15,50 @@ metadata:
   labels:
     name: container-kill-sa
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/disk-fill/experiment.yaml

@@ -14,37 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions: 
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "apps"
+        resources: ["pods"]
-          - "batch"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["configmaps"]
-          - "pods/log"
+        verbs: ["get","list",]
-          - "replicationcontrollers"
+      # Track and get the runner, experiment, and helper pods log 
-          - "deployments"
+      - apiGroups: [""]
-          - "statefulsets"
+        resources: ["pods/log"]
-          - "daemonsets"
+        verbs: ["get","list","watch"]  
-          - "replicasets"
+      # for creating and managing to execute comands inside target container
-          - "deploymentconfigs"
+      - apiGroups: [""]
-          - "rollouts"
+        resources: ["pods/exec"]
-          - "events"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/disk-fill/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: disk-fill-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/disk-fill/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: disk-fill-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/docker-service-kill/experiment.yaml

@@ -14,33 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "litmuschaos.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-        resources:
+      - apiGroups: [""]
-          - "jobs"
+        resources: ["events"]
-          - "pods"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "events"
+      - apiGroups: [""]
-          - "chaosengines"
+        resources: ["configmaps"]
-          - "chaosexperiments"
+        verbs: ["get","list",]
-          - "chaosresults"
+      # Track and get the runner, experiment, and helper pods log 
-        verbs:
+      - apiGroups: [""]
-          - "create"
+        resources: ["pods/log"]
-          - "list"
+        verbs: ["get","list","watch"]  
-          - "get"
+      # for creating and managing to execute comands inside target container
-          - "patch"
+      - apiGroups: [""]
-          - "update"
+        resources: ["pods/exec"]
-          - "delete"
+        verbs: ["get","list","create"]
-      - apiGroups:
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - ""
+      - apiGroups: ["batch"]
-        resources:
+        resources: ["jobs"]
-          - "nodes"
+        verbs: ["create","list","get","delete","deletecollection"]
-        verbs:
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-          - "get"
+      - apiGroups: ["litmuschaos.io"]
-          - "list"
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/docker-service-kill/rbac-psp.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: docker-service-kill-sa
+  namespace: default
+  labels:
+    name: docker-service-kill-sa
+    app.kubernetes.io/part-of: litmus
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: docker-service-kill-sa
+  labels:
+    name: docker-service-kill-sa
+    app.kubernetes.io/part-of: litmus
+rules:
+  # Create and monitor the experiment & helper pods
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create","get","list","patch","update"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]  
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: docker-service-kill-sa
+  labels:
+    name: docker-service-kill-sa
+    app.kubernetes.io/part-of: litmus
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: docker-service-kill-sa
+subjects:
+- kind: ServiceAccount
+  name: docker-service-kill-sa
+  namespace: default

charts/generic/docker-service-kill/rbac.yaml

@@ -16,12 +16,38 @@ metadata:
     name: docker-service-kill-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: ["","litmuschaos.io","batch","apps"]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","jobs","pods/log","events","chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["nodes"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["get","list"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create","get","list","patch","update"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/kubelet-service-kill/experiment.yaml

@@ -14,34 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "pods/log"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/exec"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "events"
+      - apiGroups: [""]
-          - "chaosengines"
+        resources: ["configmaps"]
-          - "chaosexperiments"
+        verbs: ["get","list",]
-          - "chaosresults"
+      # Track and get the runner, experiment, and helper pods log 
-        verbs:
+      - apiGroups: [""]
-          - "create"
+        resources: ["pods/log"]
-          - "list"
+        verbs: ["get","list","watch"]  
-          - "get"
+      # for creating and managing to execute comands inside target container
-          - "patch"
+      - apiGroups: [""]
-          - "update"
+        resources: ["pods/exec"]
-          - "delete"
+        verbs: ["get","list","create"]
-          - "deletecollection"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-      - apiGroups:
+      - apiGroups: ["batch"]
-          - ""
+        resources: ["jobs"]
-        resources: 
+        verbs: ["create","list","get","delete","deletecollection"]
-          - "nodes"
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-        verbs:
+      - apiGroups: ["litmuschaos.io"]
-          - "get"
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "list"
+        verbs: ["create","list","get","patch","update","delete"]
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/kubelet-service-kill/rbac-psp.yaml

@@ -16,25 +16,43 @@ metadata:
     name: kubelet-service-kill-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
-- apiGroups: ["policy"]
+    verbs: ["get","list","watch"]  
-  resources: ["podsecuritypolicies"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["use"]
+  - apiGroups: [""]
-  resourceNames: ["litmus"]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
+  # use litmus psp 
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/kubelet-service-kill/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: kubelet-service-kill-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-cpu-hog/experiment.yaml

@@ -14,34 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "pods/log"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/exec"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "events"
+      - apiGroups: [""]
-          - "chaosengines"
+        resources: ["configmaps"]
-          - "chaosexperiments"
+        verbs: ["get","list",]
-          - "chaosresults"
+      # Track and get the runner, experiment, and helper pods log 
-        verbs:
+      - apiGroups: [""]
-          - "create"
+        resources: ["pods/log"]
-          - "list"
+        verbs: ["get","list","watch"]  
-          - "get"
+      # for creating and managing to execute comands inside target container
-          - "patch"
+      - apiGroups: [""]
-          - "update"
+        resources: ["pods/exec"]
-          - "delete"
+        verbs: ["get","list","create"]
-          - "deletecollection"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-      - apiGroups:
+      - apiGroups: ["batch"]
-          - ""
+        resources: ["jobs"]
-        resources: 
+        verbs: ["create","list","get","delete","deletecollection"]
-          - "nodes"
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-        verbs:
+      - apiGroups: ["litmuschaos.io"]
-          - "get"
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "list"
+        verbs: ["create","list","get","patch","update","delete"]
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/node-cpu-hog/rbac-psp.yaml

@@ -16,25 +16,43 @@ metadata:
     name: node-cpu-hog-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
-- apiGroups: ["policy"]
+    verbs: ["get","list","watch"]  
-  resources: ["podsecuritypolicies"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["use"]
+  - apiGroups: [""]
-  resourceNames: ["litmus"]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-cpu-hog/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: node-cpu-hog-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-drain/experiment.yaml

@@ -15,38 +15,42 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-        resources:
+      - apiGroups: [""]
-          - "jobs"
+        resources: ["events"]
-          - "pods"
+        verbs: ["create","get","list","patch","update"]
-          - "events"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods/log"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["configmaps"]
-          - "daemonsets"
+        verbs: ["get","list",]
-          - "pods/eviction"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosengines"
+      - apiGroups: [""]
-          - "chaosexperiments"
+        resources: ["pods/log"]
-          - "chaosresults"
+        verbs: ["get","list","watch"]  
-        verbs:
+      # for creating and managing to execute comands inside target container
-          - "create"
+      - apiGroups: [""]
-          - "list"
+        resources: ["pods/exec","pods/eviction"]
-          - "get"
+        verbs: ["get","list","create"]
-          - "patch"
+      # ignore daemonsets while draining the node
-          - "update"
+      - apiGroups: ["apps"]
-          - "delete"
+        resources: ["daemonsets"]
-          - "deletecollection"
+        verbs: ["list","get","delete"]
-      - apiGroups:
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - ""
+      - apiGroups: ["batch"]
-        resources: 
+        resources: ["jobs"]
-          - "nodes"
+        verbs: ["create","list","get","delete","deletecollection"]
-        verbs:
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-          - "get"
+      - apiGroups: ["litmuschaos.io"]
-          - "list"
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "patch"
+        verbs: ["create","list","get","patch","update","delete"]
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list","patch"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/node-drain/rbac-psp.yaml

@@ -16,28 +16,47 @@ metadata:
     name: node-drain-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","pods/eviction"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["daemonsets"]
+    resources: ["configmaps"]
-  verbs: ["list","get","delete"]
+    verbs: ["get","list",]
-- apiGroups: ["litmuschaos.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["pods/log"]
-- apiGroups: [""]
+    verbs: ["get","list","watch"]  
-  resources: ["nodes"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["patch","get","list"]
+  - apiGroups: [""]
-- apiGroups: ["policy"]
+    resources: ["pods/exec","pods/eviction"]
-  resources: ["podsecuritypolicies"]
+    verbs: ["get","list","create"]
-  verbs: ["use"]
+  # ignore daemonsets while draining the node
-  resourceNames: ["litmus"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["list","get","delete"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list","patch"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-drain/rbac.yaml

@@ -16,24 +16,42 @@ metadata:
     name: node-drain-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+ # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","pods/eviction"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["daemonsets"]
+    resources: ["configmaps"]
-  verbs: ["list","get","delete"]
+    verbs: ["get","list",]
-- apiGroups: ["litmuschaos.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["pods/log"]
-- apiGroups: [""]
+    verbs: ["get","list","watch"]  
-  resources: ["nodes"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["patch","get","list"]
+  - apiGroups: [""]
+    resources: ["pods/exec","pods/eviction"]
+    verbs: ["get","list","create"]
+  # ignore daemonsets while draining the node
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["list","get","delete"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list","patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-io-stress/experiment.yaml

@@ -14,34 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "pods/log"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/exec"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "events"
+      - apiGroups: [""]
-          - "chaosengines"
+        resources: ["configmaps"]
-          - "chaosexperiments"
+        verbs: ["get","list",]
-          - "chaosresults"
+      # Track and get the runner, experiment, and helper pods log 
-        verbs:
+      - apiGroups: [""]
-          - "create"
+        resources: ["pods/log"]
-          - "list"
+        verbs: ["get","list","watch"]  
-          - "get"
+      # for creating and managing to execute comands inside target container
-          - "patch"
+      - apiGroups: [""]
-          - "update"
+        resources: ["pods/exec"]
-          - "delete"
+        verbs: ["get","list","create"]
-          - "deletecollection"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-      - apiGroups:
+      - apiGroups: ["batch"]
-          - ""
+        resources: ["jobs"]
-        resources: 
+        verbs: ["create","list","get","delete","deletecollection"]
-          - "nodes"
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-        verbs:
+      - apiGroups: ["litmuschaos.io"]
-          - "get"
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "list"
+        verbs: ["create","list","get","patch","update","delete"]
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/node-io-stress/rbac-psp.yaml

@@ -16,25 +16,43 @@ metadata:
     name: node-io-stress-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
-- apiGroups: ["policy"]
+    verbs: ["get","list","watch"]  
-  resources: ["podsecuritypolicies"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["use"]
+  - apiGroups: [""]
-  resourceNames: ["litmus"]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-io-stress/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: node-io-stress-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-memory-hog/experiment.yaml

@@ -14,34 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "pods/log"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/exec"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "events"
+      - apiGroups: [""]
-          - "chaosengines"
+        resources: ["configmaps"]
-          - "chaosexperiments"
+        verbs: ["get","list",]
-          - "chaosresults"
+      # Track and get the runner, experiment, and helper pods log 
-        verbs:
+      - apiGroups: [""]
-          - "create"
+        resources: ["pods/log"]
-          - "list"
+        verbs: ["get","list","watch"]  
-          - "get"
+      # for creating and managing to execute comands inside target container
-          - "patch"
+      - apiGroups: [""]
-          - "update"
+        resources: ["pods/exec"]
-          - "delete"
+        verbs: ["get","list","create"]
-          - "deletecollection"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-      - apiGroups:
+      - apiGroups: ["batch"]
-          - ""
+        resources: ["jobs"]
-        resources: 
+        verbs: ["create","list","get","delete","deletecollection"]
-          - "nodes"
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-        verbs:
+      - apiGroups: ["litmuschaos.io"]
-          - "get"
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "list"
+        verbs: ["create","list","get","patch","update","delete"]
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/node-memory-hog/rbac-psp.yaml

@@ -16,25 +16,43 @@ metadata:
     name: node-memory-hog-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
-- apiGroups: ["policy"]
+    verbs: ["get","list","watch"]  
-  resources: ["podsecuritypolicies"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["use"]
+  - apiGroups: [""]
-  resourceNames: ["litmus"]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-memory-hog/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: node-memory-hog-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-poweroff/experiment.yaml

@@ -14,35 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "pods/log"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/exec"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "events"
+      - apiGroups: [""]
-          - "chaosengines"
+        resources: ["configmaps","secrets"]
-          - "chaosexperiments"
+        verbs: ["get","list",]
-          - "chaosresults"
+      # Track and get the runner, experiment, and helper pods log 
-          - "secrets"
+      - apiGroups: [""]
-        verbs:
+        resources: ["pods/log"]
-          - "create"
+        verbs: ["get","list","watch"]  
-          - "list"
+      # for creating and managing to execute comands inside target container
-          - "get"
+      - apiGroups: [""]
-          - "patch"
+        resources: ["pods/exec"]
-          - "update"
+        verbs: ["get","list","create"]
-          - "delete"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - "deletecollection"
+      - apiGroups: ["batch"]
-      - apiGroups:
+        resources: ["jobs"]
-          - ""
+        verbs: ["create","list","get","delete","deletecollection"]
-        resources:
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-          - "nodes"
+      - apiGroups: ["litmuschaos.io"]
-        verbs:
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "get"
+        verbs: ["create","list","get","patch","update","delete"]
-          - "list"
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/node-poweroff/rbac-psp.yaml

@@ -16,25 +16,43 @@ metadata:
     name: node-poweroff-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps","secrets"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
-- apiGroups: ["policy"]
+    verbs: ["get","list","watch"]  
-  resources: ["podsecuritypolicies"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["use"]
+  - apiGroups: [""]
-  resourceNames: ["litmus"]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-poweroff/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: node-poweroff-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps","secrets"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-restart/experiment.yaml

@@ -14,35 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "pods/log"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/exec"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "events"
+      - apiGroups: [""]
-          - "chaosengines"
+        resources: ["configmaps","secrets"]
-          - "chaosexperiments"
+        verbs: ["get","list",]
-          - "chaosresults"
+      # Track and get the runner, experiment, and helper pods log 
-          - "secrets"
+      - apiGroups: [""]
-        verbs:
+        resources: ["pods/log"]
-          - "create"
+        verbs: ["get","list","watch"]  
-          - "list"
+      # for creating and managing to execute comands inside target container
-          - "get"
+      - apiGroups: [""]
-          - "patch"
+        resources: ["pods/exec"]
-          - "update"
+        verbs: ["get","list","create"]
-          - "delete"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - "deletecollection"
+      - apiGroups: ["batch"]
-      - apiGroups:
+        resources: ["jobs"]
-          - ""
+        verbs: ["create","list","get","delete","deletecollection"]
-        resources:
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-          - "nodes"
+      - apiGroups: ["litmuschaos.io"]
-        verbs:
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "get"
+        verbs: ["create","list","get","patch","update","delete"]
-          - "list"
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/node-restart/rbac-psp.yaml

@@ -16,25 +16,43 @@ metadata:
     name: node-restart-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps","secrets"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
-- apiGroups: ["policy"]
+    verbs: ["get","list","watch"]  
-  resources: ["podsecuritypolicies"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["use"]
+  - apiGroups: [""]
-  resourceNames: ["litmus"] 
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"] 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-restart/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: node-restart-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["configmaps","secrets"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["get","list"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-taint/experiment.yaml

@@ -15,39 +15,42 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "litmuschaos.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-        resources:
+      - apiGroups: [""]
-          - "jobs"
+        resources: ["events"]
-          - "pods"
+        verbs: ["create","get","list","patch","update"]
-          - "events"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods/log"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["configmaps"]
-          - "daemonsets"
+        verbs: ["get","list",]
-          - "pods/eviction"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosengines"
+      - apiGroups: [""]
-          - "chaosexperiments"
+        resources: ["pods/log"]
-          - "chaosresults"
+        verbs: ["get","list","watch"]  
-        verbs:
+      # for creating and managing to execute comands inside target container
-          - "create"
+      - apiGroups: [""]
-          - "list"
+        resources: ["pods/exec","pods/eviction"]
-          - "get"
+        verbs: ["get","list","create"]
-          - "patch"
+      # ignore daemonsets while draining the node
-          - "update"
+      - apiGroups: ["apps"]
-          - "delete"
+        resources: ["daemonsets"]
-          - "deletecollection"
+        verbs: ["list","get","delete"]
-      - apiGroups:
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - ""
+      - apiGroups: ["batch"]
-        resources: 
+        resources: ["jobs"]
-          - "nodes"
+        verbs: ["create","list","get","delete","deletecollection"]
-        verbs:
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-          - "get"
+      - apiGroups: ["litmuschaos.io"]
-          - "list"
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "patch"
+        verbs: ["create","list","get","patch","update","delete"]
-          - "update"
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list","patch","update"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/node-taint/rbac-psp.yaml

@@ -16,28 +16,47 @@ metadata:
     name: node-taint-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","pods/eviction"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["daemonsets"]
+    resources: ["configmaps"]
-  verbs: ["list","get","delete"]
+    verbs: ["get","list",]
-- apiGroups: ["litmuschaos.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["pods/log"]
-- apiGroups: [""]
+    verbs: ["get","list","watch"]  
-  resources: ["nodes"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["patch","get","list","update"]
+  - apiGroups: [""]
-- apiGroups: ["policy"]
+    resources: ["pods/exec","pods/eviction"]
-  resources: ["podsecuritypolicies"]
+    verbs: ["get","list","create"]
-  verbs: ["use"]
+  # ignore daemonsets while draining the node
-  resourceNames: ["litmus"]
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["list","get","delete"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list","patch","update"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/node-taint/rbac.yaml

@@ -16,24 +16,42 @@ metadata:
     name: node-taint-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+ # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","pods/eviction"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["daemonsets"]
+    resources: ["configmaps"]
-  verbs: ["list","get","delete"]
+    verbs: ["get","list",]
-- apiGroups: ["litmuschaos.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["pods/log"]
-- apiGroups: [""]
+    verbs: ["get","list","watch"]  
-  resources: ["nodes"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["patch","get","list","update"]
+  - apiGroups: [""]
+    resources: ["pods/exec","pods/eviction"]
+    verbs: ["get","list","create"]
+  # ignore daemonsets while draining the node
+  - apiGroups: ["apps"]
+    resources: ["daemonsets"]
+    verbs: ["list","get","delete"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list","patch","update"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/pod-autoscaler/experiment.yaml

@@ -14,40 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "litmuschaos.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-        resources:
+      - apiGroups: [""]
-          - "jobs"
+        resources: ["events"]
-          - "pods"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods/exec"
+      - apiGroups: [""]
-          - "deployments"
+        resources: ["configmaps"]
-          - "statefulsets"
+        verbs: ["get","list",]
-          - "events"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosengines"
+      - apiGroups: [""]
-          - "chaosexperiments"
+        resources: ["pods/log"]
-          - "chaosresults"
+        verbs: ["get","list","watch"]  
-        verbs:
+      # for creating and managing to execute comands inside target container
-          - "create"
+      - apiGroups: [""]
-          - "list"
+        resources: ["pods/exec"]
-          - "get"
+        verbs: ["get","list","create"]
-          - "patch"
+      # performs CRUD operations on the deployments and statefulsets
-          - "update"
+      - apiGroups: ["apps"]
-          - "delete"
+        resources: ["deployments","statefulsets"]
-          - "deletecollection"
+        verbs: ["list","get","patch","update"]
-      - apiGroups:
+      # for configuring and monitor the experiment job by the chaos-runner pod
-          - ""
+      - apiGroups: ["batch"]
-        resources: 
+        resources: ["jobs"]
-          - "nodes"
+        verbs: ["create","list","get","delete","deletecollection"]
-        verbs:
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-          - "get"
+      - apiGroups: ["litmuschaos.io"]
-          - "list"
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "create"
+        verbs: ["create","list","get","patch","update","delete"]
-          - "patch"
-          - "update"
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/pod-autoscaler/rbac-psp.yaml

@@ -16,25 +16,43 @@ metadata:
     name: pod-autoscaler-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets"]
+    resources: ["configmaps"]
-  verbs: ["list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: ["litmuschaos.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["pods/log"]
-- apiGroups: ["policy"]
+    verbs: ["get","list","watch"]  
-  resources: ["podsecuritypolicies"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["use"]
+  - apiGroups: [""]
-  resourceNames: ["litmus"]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # performs CRUD operations on the deployments and statefulsets
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets"]
+    verbs: ["list","get","patch","update"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/pod-autoscaler/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: pod-autoscaler-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets"]
+    resources: ["configmaps"]
-  verbs: ["list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: ["litmuschaos.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # performs CRUD operations on the deployments and statefulsets
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets"]
+    verbs: ["list","get","patch","update"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/generic/pod-cpu-hog-exec/experiment.yaml

@@ -14,37 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "events"
+        verbs: ["get","list",]
-          - "replicationcontrollers"
+      # Track and get the runner, experiment, and helper pods log 
-          - "deployments"
+      - apiGroups: [""]
-          - "statefulsets"
+        resources: ["pods/log"]
-          - "daemonsets"
+        verbs: ["get","list","watch"]  
-          - "replicasets"
+      # for creating and managing to execute comands inside target container
-          - "deploymentconfigs"
+      - apiGroups: [""]
-          - "rollouts"
+        resources: ["pods/exec"]
-          - "pods/exec"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/generic/pod-cpu-hog-exec/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: pod-cpu-hog-exec-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-cpu-hog-exec/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: pod-cpu-hog-exec-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-cpu-hog/experiment.yaml

@@ -14,37 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "events"
+        verbs: ["get","list",]
-          - "replicationcontrollers"
+      # Track and get the runner, experiment, and helper pods log 
-          - "deployments"
+      - apiGroups: [""]
-          - "statefulsets"
+        resources: ["pods/log"]
-          - "daemonsets"
+        verbs: ["get","list","watch"]  
-          - "replicasets"
+      # for creating and managing to execute comands inside target container
-          - "deploymentconfigs"
+      - apiGroups: [""]
-          - "rollouts"
+        resources: ["pods/exec"]
-          - "pods/exec"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/generic/pod-cpu-hog/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: pod-cpu-hog-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-cpu-hog/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: pod-cpu-hog-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-delete/experiment.yaml

@@ -14,38 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "apps"
+        resources: ["pods"]
-          - "apps.openshift.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "argoproj.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "batch"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "deployments"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["configmaps"]
-          - "pods/log"
+        verbs: ["get","list",]
-          - "replicationcontrollers"
+      # Track and get the runner, experiment, and helper pods log 
-          - "deployments"
+      - apiGroups: [""]
-          - "statefulsets"
+        resources: ["pods/log"]
-          - "daemonsets"
+        verbs: ["get","list","watch"]  
-          - "replicasets"
+      # for creating and managing to execute comands inside target container
-          - "deploymentconfigs"
+      - apiGroups: [""]
-          - "rollouts"
+        resources: ["pods/exec"]
-          - "pods/exec"
+        verbs: ["get","list","create"]
-          - "events"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosengines"
+      - apiGroups: ["apps"]
-          - "chaosexperiments"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-          - "chaosresults"
+        verbs: ["list","get"]
-        verbs:
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "create"
+      - apiGroups: ["apps.openshift.io"]
-          - "list"
+        resources: ["deploymentconfigs"]
-          - "get"
+        verbs: ["list","get"]
-          - "patch"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "update"
+      - apiGroups: [""]
-          - "delete"
+        resources: ["replicationcontrollers"]
-          - "deletecollection"
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/pod-delete/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: pod-delete-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"] 
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"] 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-delete/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: pod-delete-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-delete/rbac_nginx_getstarted.yaml

@@ -15,27 +15,50 @@ metadata:
   labels:
     name: pod-delete-sa
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-dns-error/experiment.yaml

@@ -14,37 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "replicationcontrollers"
+        verbs: ["get","list",]
-          - "deployments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "statefulsets"
+      - apiGroups: [""]
-          - "daemonsets"
+        resources: ["pods/log"]
-          - "replicasets"
+        verbs: ["get","list","watch"]  
-          - "deploymentconfigs"
+      # for creating and managing to execute comands inside target container
-          - "rollouts"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["pods/exec"]
-          - "events"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     args:
       - -c

charts/generic/pod-dns-error/rbac-psp.yaml

@@ -17,28 +17,51 @@ metadata:
     name: pod-dns-error-sa
     app.kubernetes.io/part-of: litmus
 rules:
+   # Create and monitor the experiment & helper pods
   - apiGroups: [""]
-    resources: ["pods", "events"]
+    resources: ["pods"]
-    verbs:
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-      ["create", "list", "get", "patch", "update", "delete", "deletecollection"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
   - apiGroups: [""]
-    resources: ["pods/exec", "pods/log", "replicationcontrollers"]
+    resources: ["events"]
-    verbs: ["create", "list", "get"]
+    verbs: ["create","get","list","patch","update"]
-  - apiGroups: ["batch"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-    resources: ["jobs"]
+  - apiGroups: [""]
-    verbs: ["create", "list", "get", "delete", "deletecollection"]
+    resources: ["configmaps"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
   - apiGroups: ["apps"]
-    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
   - apiGroups: ["apps.openshift.io"]
     resources: ["deploymentconfigs"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
   - apiGroups: ["argoproj.io"]
     resources: ["rollouts"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
   - apiGroups: ["litmuschaos.io"]
-    resources: ["chaosengines", "chaosexperiments", "chaosresults"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
-    verbs: ["create", "list", "get", "patch", "update"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]
     verbs: ["use"]

charts/generic/pod-dns-error/rbac.yaml

@@ -17,28 +17,50 @@ metadata:
     name: pod-dns-error-sa
     app.kubernetes.io/part-of: litmus
 rules:
+  # Create and monitor the experiment & helper pods
   - apiGroups: [""]
-    resources: ["pods", "events"]
+    resources: ["pods"]
-    verbs:
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-      ["create", "list", "get", "patch", "update", "delete", "deletecollection"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
   - apiGroups: [""]
-    resources: ["pods/exec", "pods/log", "replicationcontrollers"]
+    resources: ["events"]
-    verbs: ["create", "list", "get"]
+    verbs: ["create","get","list","patch","update"]
-  - apiGroups: ["batch"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-    resources: ["jobs"]
+  - apiGroups: [""]
-    verbs: ["create", "list", "get", "delete", "deletecollection"]
+    resources: ["configmaps"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
   - apiGroups: ["apps"]
-    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
   - apiGroups: ["apps.openshift.io"]
     resources: ["deploymentconfigs"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
   - apiGroups: ["argoproj.io"]
     resources: ["rollouts"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
   - apiGroups: ["litmuschaos.io"]
-    resources: ["chaosengines", "chaosexperiments", "chaosresults"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
-    verbs: ["create", "list", "get", "patch", "update"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-dns-spoof/experiment.yaml

@@ -14,37 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "replicationcontrollers"
+        verbs: ["get","list",]
-          - "deployments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "statefulsets"
+      - apiGroups: [""]
-          - "daemonsets"
+        resources: ["pods/log"]
-          - "replicasets"
+        verbs: ["get","list","watch"]  
-          - "deploymentconfigs"
+      # for creating and managing to execute comands inside target container
-          - "rollouts"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["pods/exec"]
-          - "events"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     args:
       - -c

charts/generic/pod-dns-spoof/rbac-psp.yaml

@@ -17,28 +17,51 @@ metadata:
     name: pod-dns-spoof-sa
     app.kubernetes.io/part-of: litmus
 rules:
+  # Create and monitor the experiment & helper pods
   - apiGroups: [""]
-    resources: ["pods", "events"]
+    resources: ["pods"]
-    verbs:
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-      ["create", "list", "get", "patch", "update", "delete", "deletecollection"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
   - apiGroups: [""]
-    resources: ["pods/exec", "pods/log", "replicationcontrollers"]
+    resources: ["events"]
-    verbs: ["create", "list", "get"]
+    verbs: ["create","get","list","patch","update"]
-  - apiGroups: ["batch"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-    resources: ["jobs"]
+  - apiGroups: [""]
-    verbs: ["create", "list", "get", "delete", "deletecollection"]
+    resources: ["configmaps"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
   - apiGroups: ["apps"]
-    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
   - apiGroups: ["apps.openshift.io"]
     resources: ["deploymentconfigs"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
   - apiGroups: ["argoproj.io"]
     resources: ["rollouts"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
   - apiGroups: ["litmuschaos.io"]
-    resources: ["chaosengines", "chaosexperiments", "chaosresults"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
-    verbs: ["create", "list", "get", "patch", "update"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]
     verbs: ["use"]

charts/generic/pod-dns-spoof/rbac.yaml

@@ -17,28 +17,50 @@ metadata:
     name: pod-dns-spoof-sa
     app.kubernetes.io/part-of: litmus
 rules:
+    # Create and monitor the experiment & helper pods
   - apiGroups: [""]
-    resources: ["pods", "events"]
+    resources: ["pods"]
-    verbs:
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-      ["create", "list", "get", "patch", "update", "delete", "deletecollection"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
   - apiGroups: [""]
-    resources: ["pods/exec", "pods/log", "replicationcontrollers"]
+    resources: ["events"]
-    verbs: ["create", "list", "get"]
+    verbs: ["create","get","list","patch","update"]
-  - apiGroups: ["batch"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-    resources: ["jobs"]
+  - apiGroups: [""]
-    verbs: ["create", "list", "get", "delete", "deletecollection"]
+    resources: ["configmaps"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
   - apiGroups: ["apps"]
-    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
   - apiGroups: ["apps.openshift.io"]
     resources: ["deploymentconfigs"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
   - apiGroups: ["argoproj.io"]
     resources: ["rollouts"]
-    verbs: ["list", "get"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
   - apiGroups: ["litmuschaos.io"]
-    resources: ["chaosengines", "chaosexperiments", "chaosresults"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
-    verbs: ["create", "list", "get", "patch", "update"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-io-stress/experiment.yaml

@@ -15,37 +15,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "replicationcontrollers"
+        verbs: ["get","list",]
-          - "deployments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "statefulsets"
+      - apiGroups: [""]
-          - "daemonsets"
+        resources: ["pods/log"]
-          - "replicasets"
+        verbs: ["get","list","watch"]  
-          - "deploymentconfigs"
+      # for creating and managing to execute comands inside target container
-          - "rollouts"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["pods/exec"]
-          - "events"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/generic/pod-io-stress/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: pod-io-stress-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-io-stress/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: pod-io-stress-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-memory-hog-exec/experiment.yaml

@@ -15,37 +15,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "replicationcontrollers"
+        verbs: ["get","list",]
-          - "deployments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "statefulsets"
+      - apiGroups: [""]
-          - "daemonsets"
+        resources: ["pods/log"]
-          - "replicasets"
+        verbs: ["get","list","watch"]  
-          - "deploymentconfigs"
+      # for creating and managing to execute comands inside target container
-          - "rollouts"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["pods/exec"]
-          - "events"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/generic/pod-memory-hog-exec/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: pod-memory-hog-exec-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-memory-hog-exec/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: pod-memory-hog-exec-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-memory-hog/experiment.yaml

@@ -15,37 +15,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "replicationcontrollers"
+        verbs: ["get","list",]
-          - "deployments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "statefulsets"
+      - apiGroups: [""]
-          - "daemonsets"
+        resources: ["pods/log"]
-          - "replicasets"
+        verbs: ["get","list","watch"]  
-          - "deploymentconfigs"
+      # for creating and managing to execute comands inside target container
-          - "rollouts"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["pods/exec"]
-          - "events"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:ci"
     imagePullPolicy: Always
     args:

charts/generic/pod-memory-hog/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: pod-memory-hog-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-memory-hog/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: pod-memory-hog-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-corruption/experiment.yaml

@@ -14,37 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "replicationcontrollers"
+        verbs: ["get","list",]
-          - "deployments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "statefulsets"
+      - apiGroups: [""]
-          - "daemonsets"
+        resources: ["pods/log"]
-          - "replicasets"
+        verbs: ["get","list","watch"]  
-          - "deploymentconfigs"
+      # for creating and managing to execute comands inside target container
-          - "rollouts"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["pods/exec"]
-          - "events"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "delete"
+      - apiGroups: ["apps.openshift.io"]
-          - "list"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "get"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/pod-network-corruption/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: pod-network-corruption-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-corruption/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: pod-network-corruption-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-duplication/experiment.yaml

@@ -14,37 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-    - apiGroups:
+      # Create and monitor the experiment & helper pods
-        - ""
+      - apiGroups: [""]
-        - "batch"
+        resources: ["pods"]
-        - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-        - "argoproj.io"
+      - apiGroups: [""]
-        - "litmuschaos.io"
+        resources: ["events"]
-      resources:
+        verbs: ["create","get","list","patch","update"]
-        - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-        - "pods"
+      - apiGroups: [""]
-        - "pods/log"
+        resources: ["configmaps"]
-        - "replicationcontrollers"
+        verbs: ["get","list",]
-        - "deployments"
+      # Track and get the runner, experiment, and helper pods log 
-        - "statefulsets"
+      - apiGroups: [""]
-        - "daemonsets"
+        resources: ["pods/log"]
-        - "replicasets"
+        verbs: ["get","list","watch"]  
-        - "deploymentconfigs"
+      # for creating and managing to execute comands inside target container
-        - "rollouts"
+      - apiGroups: [""]
-        - "pods/exec"
+        resources: ["pods/exec"]
-        - "events"
+        verbs: ["get","list","create"]
-        - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-        - "chaosexperiments"
+      - apiGroups: ["apps"]
-        - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-      verbs:
+        verbs: ["list","get"]
-        - "get"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-        - "list"
+      - apiGroups: ["apps.openshift.io"]
-        - "patch"
+        resources: ["deploymentconfigs"]
-        - "create"
+        verbs: ["list","get"]
-        - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-        - "delete"
+      - apiGroups: [""]
-        - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/pod-network-duplication/rbac-psp.yaml

@@ -16,31 +16,55 @@ metadata:
     name: pod-network-duplication-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"] 
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-duplication/rbac.yaml

@@ -16,27 +16,50 @@ metadata:
     name: pod-network-duplication-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-latency/experiment.yaml

@@ -14,37 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "argoproj.io"
+      - apiGroups: [""]
-          - "litmuschaos.io"
+        resources: ["events"]
-        resources:
+        verbs: ["create","get","list","patch","update"]
-          - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-          - "pods"
+      - apiGroups: [""]
-          - "pods/log"
+        resources: ["configmaps"]
-          - "replicationcontrollers"
+        verbs: ["get","list",]
-          - "deployments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "statefulsets"
+      - apiGroups: [""]
-          - "daemonsets"
+        resources: ["pods/log"]
-          - "replicasets"
+        verbs: ["get","list","watch"]  
-          - "deploymentconfigs"
+      # for creating and managing to execute comands inside target container
-          - "rollouts"
+      - apiGroups: [""]
-          - "pods/exec"
+        resources: ["pods/exec"]
-          - "events"
+        verbs: ["get","list","create"]
-          - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-          - "chaosexperiments"
+      - apiGroups: ["apps"]
-          - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-        verbs:
+        verbs: ["list","get"]
-          - "create"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-          - "list"
+      - apiGroups: ["apps.openshift.io"]
-          - "get"
+        resources: ["deploymentconfigs"]
-          - "patch"
+        verbs: ["list","get"]
-          - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-          - "delete"
+      - apiGroups: [""]
-          - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/pod-network-latency/rbac-psp.yaml

@@ -17,31 +17,55 @@ metadata:
     name: pod-network-latency-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-latency/rbac.yaml

@@ -17,27 +17,50 @@ metadata:
     name: pod-network-latency-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-loss/experiment.yaml

@@ -14,37 +14,50 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-    - apiGroups:
+      # Create and monitor the experiment & helper pods
-        - ""
+      - apiGroups: [""]
-        - "batch"
+        resources: ["pods"]
-        - "apps"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        - "apps.openshift.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-        - "argoproj.io"
+      - apiGroups: [""]
-        - "litmuschaos.io"
+        resources: ["events"]
-      resources:
+        verbs: ["create","get","list","patch","update"]
-        - "jobs"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-        - "pods"
+      - apiGroups: [""]
-        - "pods/log"
+        resources: ["configmaps"]
-        - "replicationcontrollers"
+        verbs: ["get","list",]
-        - "deployments"
+      # Track and get the runner, experiment, and helper pods log 
-        - "statefulsets"
+      - apiGroups: [""]
-        - "daemonsets"
+        resources: ["pods/log"]
-        - "replicasets"
+        verbs: ["get","list","watch"]  
-        - "deploymentconfigs"
+      # for creating and managing to execute comands inside target container
-        - "rollouts"
+      - apiGroups: [""]
-        - "pods/exec"
+        resources: ["pods/exec"]
-        - "events"
+        verbs: ["get","list","create"]
-        - "chaosengines"
+      # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-        - "chaosexperiments"
+      - apiGroups: ["apps"]
-        - "chaosresults"
+        resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-      verbs:
+        verbs: ["list","get"]
-        - "get"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
-        - "list"
+      - apiGroups: ["apps.openshift.io"]
-        - "patch"
+        resources: ["deploymentconfigs"]
-        - "create"
+        verbs: ["list","get"]
-        - "update"
+      # deriving the parent/owner details of the pod(if parent is deploymentConfig)
-        - "delete"
+      - apiGroups: [""]
-        - "deletecollection"
+        resources: ["replicationcontrollers"]
+        verbs: ["get","list"]
+      # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+      - apiGroups: ["argoproj.io"]
+        resources: ["rollouts"]
+        verbs: ["list","get"]
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/pod-network-loss/rbac-psp.yaml

@@ -16,31 +16,55 @@ metadata:
     name: pod-network-loss-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
-- apiGroups: ["policy"]
+  - apiGroups: ["apps"]
-  resources: ["podsecuritypolicies"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
-  verbs: ["use"]
+    verbs: ["list","get"]
-  resourceNames: ["litmus"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-loss/rbac.yaml

@@ -16,27 +16,50 @@ metadata:
     name: pod-network-loss-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log","replicationcontrollers"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets","daemonsets","replicasets"]
+    resources: ["configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["apps.openshift.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["deploymentconfigs"]
+  - apiGroups: [""]
-  verbs: ["list","get"]
+    resources: ["pods/log"]
-- apiGroups: ["argoproj.io"]
+    verbs: ["get","list","watch"]  
-  resources: ["rollouts"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["list","get"]
+  - apiGroups: [""]
-- apiGroups: ["litmuschaos.io"]
+    resources: ["pods/exec"]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["get","list","create"]
-  verbs: ["create","list","get","patch","update"]
+  # deriving the parent/owner details of the pod(if parent is anyof {deployment, statefulset, daemonsets})
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets","replicasets", "daemonsets"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)  
+  - apiGroups: ["apps.openshift.io"]
+    resources: ["deploymentconfigs"]
+    verbs: ["list","get"]
+  # deriving the parent/owner details of the pod(if parent is deploymentConfig)
+  - apiGroups: [""]
+    resources: ["replicationcontrollers"]
+    verbs: ["get","list"]
+  # deriving the parent/owner details of the pod(if parent is argo-rollouts)
+  - apiGroups: ["argoproj.io"]
+    resources: ["rollouts"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-partition/experiment.yaml

@@ -14,29 +14,38 @@ spec:
   definition:
     scope: Namespaced
     permissions:
-    - apiGroups:
+      # Create and monitor the experiment & helper pods
-        - ""
+      - apiGroups: [""]
-        - "batch"
+        resources: ["pods"]
-        - "networking.k8s.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        - "litmuschaos.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-      resources:
+      - apiGroups: [""]
-        - "jobs"
+        resources: ["events"]
-        - "pods"
+        verbs: ["create","get","list","patch","update"]
-        - "pods/log"
+      # Fetch configmaps details and mount it to the experiment pod (if specified)
-        - networkpolicies
+      - apiGroups: [""]
-        - "pods/exec"
+        resources: ["configmaps"]
-        - "events"
+        verbs: ["get","list",]
-        - "chaosengines"
+      # Track and get the runner, experiment, and helper pods log 
-        - "chaosexperiments"
+      - apiGroups: [""]
-        - "chaosresults"
+        resources: ["pods/log"]
-      verbs:
+        verbs: ["get","list","watch"]  
-        - "get"
+      # for creating and managing to execute comands inside target container
-        - "list"
+      - apiGroups: [""]
-        - "patch"
+        resources: ["pods/exec"]
-        - "create"
+        verbs: ["get","list","create"]
-        - "update"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-        - "delete"
+      - apiGroups: ["batch"]
-        - "deletecollection"
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # performs CRUD operations on the network policies
+      - apiGroups: ["networking.k8s.io"]
+        resources: ["networkpolicies"]
+        verbs: ["create","delete","list","get"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/generic/pod-network-partition/rbac-psp.yaml

@@ -16,25 +16,43 @@ metadata:
     name: pod-network-partition-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["networking.k8s.io"]
+  - apiGroups: [""]
-  resources: ["networkpolicies"]
+    resources: ["configmaps"]
-  verbs: ["create","delete","list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["litmuschaos.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["pods/log"]
-- apiGroups: ["policy"]
+    verbs: ["get","list","watch"]  
-  resources: ["podsecuritypolicies"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["use"]
+  - apiGroups: [""]
-  resourceNames: ["litmus"]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # performs CRUD operations on the network policies
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["networkpolicies"]
+    verbs: ["create","delete","list","get"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # use litmus psp
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs: ["use"]
+    resourceNames: ["litmus"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/generic/pod-network-partition/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: pod-network-partition-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["list","get","create"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps details and mount it to the experiment pod (if specified)
-- apiGroups: ["networking.k8s.io"]
+  - apiGroups: [""]
-  resources: ["networkpolicies"]
+    resources: ["configmaps"]
-  verbs: ["create","delete","list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["litmuschaos.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # performs CRUD operations on the network policies
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["networkpolicies"]
+    verbs: ["create","delete","list","get"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/kafka/kafka-broker-pod-failure/experiment.yaml

@@ -14,38 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "apps"
+        resources: ["pods"]
-          - "batch"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-          - "litmuschaos.io"
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-        resources:
+      - apiGroups: [""]
-          - "statefulsets"
+        resources: ["events"]
-          - "deployments"
+        verbs: ["create","get","list","patch","update"]
-          - "events"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "pods/log"
+      - apiGroups: [""]
-          - "configmaps"
+        resources: ["secrets","configmaps"]
-          - "jobs"
+        verbs: ["get","list",]
-          - "pods"
+      # Track and get the runner, experiment, and helper pods log 
-          - "pods/exec"
+      - apiGroups: [""]
-          - "chaosengines"
+        resources: ["pods/log"]
-          - "chaosexperiments"
+        verbs: ["get","list","watch"]  
-          - "chaosresults"
+      # for creating and managing to execute comands inside target container
-        verbs:
+      - apiGroups: [""]
-          - "create"
+        resources: ["pods/exec"]
-          - "get"
+        verbs: ["get","list","create"]
-          - "delete"
+      # for deriving the parent/owner details of the pod   
-          - "list"
+      - apiGroups: ["apps"]
-          - "update"
+        resources: ["deployments","statefulsets"]
-          - "patch"
+        verbs: ["list","get"]
-          - "deletecollection"
+      # for configuring and monitor the experiment job by the chaos-runner pod
-      - apiGroups:
+      - apiGroups: ["batch"]
-          - ""
+        resources: ["jobs"]
-        resources: 
+        verbs: ["create","list","get","delete","deletecollection"]
-          - "nodes"
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-        verbs:
+      - apiGroups: ["litmuschaos.io"]
-          - "get"
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
-          - "list"
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/kafka/kafka-broker-pod-failure/rbac.yaml

@@ -16,24 +16,38 @@ metadata:
     name: kafka-broker-pod-failure-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["apps"]
+  - apiGroups: [""]
-  resources: ["deployments","statefulsets"]
+    resources: ["secrets","configmaps"]
-  verbs: ["list","get"]
+    verbs: ["get","list",]
-- apiGroups: ["litmuschaos.io"]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update"]
+    resources: ["pods/log"]
-- apiGroups: [""]
+    verbs: ["get","list","watch"]  
-  resources: ["nodes"]
+  # for creating and managing to execute comands inside target container
-  verbs: ["get","list"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for deriving the parent/owner details of the pod   
+  - apiGroups: ["apps"]
+    resources: ["deployments","statefulsets"]
+    verbs: ["list","get"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/kube-aws/ebs-loss-by-id/experiment.yaml

@@ -14,27 +14,34 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "events"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "pods/exec"
+      - apiGroups: [""]
-          - "secrets"
+        resources: ["secrets","configmaps"]
-          - "chaosengines"
+        verbs: ["get","list",]
-          - "chaosexperiments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosresults"
+      - apiGroups: [""]
-        verbs:
+        resources: ["pods/log"]
-          - "create"
+        verbs: ["get","list","watch"]  
-          - "list"
+      # for creating and managing to execute comands inside target container
-          - "get"
+      - apiGroups: [""]
-          - "patch"
+        resources: ["pods/exec"]
-          - "update"
+        verbs: ["get","list","create"]
-          - "delete"
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/kube-aws/ebs-loss-by-id/rbac.yaml

@@ -16,18 +16,34 @@ metadata:
     name: ebs-loss-by-id-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["secrets","configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/kube-aws/ebs-loss-by-tag/experiment.yaml

@@ -14,27 +14,34 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "events"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "pods/exec"
+      - apiGroups: [""]
-          - "secrets"
+        resources: ["secrets","configmaps"]
-          - "chaosengines"
+        verbs: ["get","list",]
-          - "chaosexperiments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosresults"
+      - apiGroups: [""]
-        verbs:
+        resources: ["pods/log"]
-          - "create"
+        verbs: ["get","list","watch"]  
-          - "list"
+      # for creating and managing to execute comands inside target container
-          - "get"
+      - apiGroups: [""]
-          - "patch"
+        resources: ["pods/exec"]
-          - "update"
+        verbs: ["get","list","create"]
-          - "delete"
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/kube-aws/ebs-loss-by-tag/rbac.yaml

@@ -16,18 +16,34 @@ metadata:
     name: ebs-loss-by-tag-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["secrets","configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
+  # Track and get the runner, experiment, and helper pods log 
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/kube-aws/ec2-terminate-by-id/experiment.yaml

@@ -14,27 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "events"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "pods/exec"
+      - apiGroups: [""]
-          - "secrets"
+        resources: ["secrets","configmaps"]
-          - "chaosengines"
+        verbs: ["get","list",]
-          - "chaosexperiments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosresults"
+      - apiGroups: [""]
-        verbs:
+        resources: ["pods/log"]
-          - "create"
+        verbs: ["get","list","watch"]  
-          - "list"
+      # for creating and managing to execute comands inside target container
-          - "get"
+      - apiGroups: [""]
-          - "patch"
+        resources: ["pods/exec"]
-          - "update"
+        verbs: ["get","list","create"]
-          - "delete"
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args:

charts/kube-aws/ec2-terminate-by-id/rbac.yaml

@@ -16,21 +16,38 @@ metadata:
     name: ec2-terminate-by-id-sa
     app.kubernetes.io/part-of: litmus
 rules:
-- apiGroups: [""]
+  # Create and monitor the experiment & helper pods
-  resources: ["pods","events","secrets"]
+  - apiGroups: [""]
-  verbs: ["create","list","get","patch","update","delete","deletecollection"]
+    resources: ["pods"]
-- apiGroups: [""]
+    verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-  resources: ["pods/exec","pods/log"]
+  # Performs CRUD operations on the events inside chaosengine and chaosresult
-  verbs: ["create","list","get"]
+  - apiGroups: [""]
-- apiGroups: ["batch"]
+    resources: ["events"]
-  resources: ["jobs"]
+    verbs: ["create","get","list","patch","update"]
-  verbs: ["create","list","get","delete","deletecollection"]
+  # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-- apiGroups: ["litmuschaos.io"]
+  - apiGroups: [""]
-  resources: ["chaosengines","chaosexperiments","chaosresults"]
+    resources: ["secrets","configmaps"]
-  verbs: ["create","list","get","patch","update"]
+    verbs: ["get","list",]
-- apiGroups: [""]
+  # Track and get the runner, experiment, and helper pods log 
-  resources: ["nodes"]
+  - apiGroups: [""]
-  verbs: ["patch","get","list"]
+    resources: ["pods/log"]
+    verbs: ["get","list","watch"]  
+  # for creating and managing to execute comands inside target container
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["get","list","create"]
+  # for configuring and monitor the experiment job by the chaos-runner pod
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create","list","get","delete","deletecollection"]
+  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+  - apiGroups: ["litmuschaos.io"]
+    resources: ["chaosengines","chaosexperiments","chaosresults"]
+    verbs: ["create","list","get","patch","update","delete"]
+  # for experiment to perform node status checks
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get","list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/kube-aws/ec2-terminate-by-tag/experiment.yaml

@@ -14,27 +14,38 @@ spec:
   definition:
     scope: Cluster
     permissions:
-      - apiGroups:
+      # Create and monitor the experiment & helper pods
-          - ""
+      - apiGroups: [""]
-          - "batch"
+        resources: ["pods"]
-          - "litmuschaos.io"
+        verbs: ["create","delete","get","list","patch","update", "deletecollection"]
-        resources:
+      # Performs CRUD operations on the events inside chaosengine and chaosresult
-          - "jobs"
+      - apiGroups: [""]
-          - "pods"
+        resources: ["events"]
-          - "events"
+        verbs: ["create","get","list","patch","update"]
-          - "pods/log"
+      # Fetch configmaps & secrets details and mount it to the experiment pod (if specified)
-          - "pods/exec"
+      - apiGroups: [""]
-          - "secrets"
+        resources: ["secrets","configmaps"]
-          - "chaosengines"
+        verbs: ["get","list",]
-          - "chaosexperiments"
+      # Track and get the runner, experiment, and helper pods log 
-          - "chaosresults"
+      - apiGroups: [""]
-        verbs:
+        resources: ["pods/log"]
-          - "create"
+        verbs: ["get","list","watch"]  
-          - "list"
+      # for creating and managing to execute comands inside target container
-          - "get"
+      - apiGroups: [""]
-          - "patch"
+        resources: ["pods/exec"]
-          - "update"
+        verbs: ["get","list","create"]
-          - "delete"
+      # for configuring and monitor the experiment job by the chaos-runner pod
+      - apiGroups: ["batch"]
+        resources: ["jobs"]
+        verbs: ["create","list","get","delete","deletecollection"]
+      # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
+      - apiGroups: ["litmuschaos.io"]
+        resources: ["chaosengines","chaosexperiments","chaosresults"]
+        verbs: ["create","list","get","patch","update","delete"]
+      # for experiment to perform node status checks
+      - apiGroups: [""]
+        resources: ["nodes"]
+        verbs: ["get","list"]
     image: "litmuschaos/go-runner:latest"
     imagePullPolicy: Always
     args: