BlastRadiusPolicy
BlastRadiusPolicy is a cluster-scoped guardrail that limits what chaos experiments can do. It evaluates in a 7-step chain before any experiment runs.
Group: chaos.chaosplane.io/v1alpha1
Kind: BlastRadiusPolicy
Scope: Cluster
Example
apiVersion: chaos.chaosplane.io/v1alpha1
kind: BlastRadiusPolicy
metadata:
name: production-guardrails
spec:
enforcement: Enforce
scope:
namespaces:
- production
labelSelector:
matchLabels:
environment: production
targetLimits:
maxTargets: 2
maxPercentage: 20
protectedResources:
namespaces:
- kube-system
- monitoring
labels:
chaosplane.io/protected: "true"
names:
- kind: Deployment
name: payment-service
namespace: production
actionLimits:
allowedActions:
- pod-kill
- network-delay
- pod-cpu-stress
maxDuration: 10m
timeWindows:
allowed:
- name: business-hours
schedule: "0 9 * * 1-5"
duration: 8h
timezone: UTC
blocked:
- name: peak-traffic
schedule: "0 17 * * 1-5"
duration: 3h
timezone: America/New_York
Spec fields
spec.enforcement
| Value | Description |
|---|---|
Enforce | Block experiments that violate the policy |
Audit | Log violations but allow experiments to proceed |
spec.scope
Defines which experiments this policy applies to. A policy only evaluates experiments targeting resources within its scope.
| Field | Type | Required | Description |
|---|---|---|---|
namespaces | []string | No | Namespaces this policy covers (empty = all) |
labelSelector | LabelSelector | No | Label selector for target resources |
spec.targetLimits
Limits how many resources a single experiment can affect.
| Field | Type | Required | Description |
|---|---|---|---|
maxTargets | int32 | No | Absolute maximum number of targets |
maxPercentage | int32 | No | Maximum percentage of matching resources (0-100) |
Both limits are evaluated independently. The experiment is blocked if it would exceed either one.
spec.protectedResources
Resources that can never be targeted, regardless of the experiment spec.
| Field | Type | Required | Description |
|---|---|---|---|
namespaces | []string | No | Namespaces that cannot be targeted |
labels | map[string]string | No | Resources with these labels cannot be targeted |
names | []ProtectedResource | No | Specific named resources |
ProtectedResource
| Field | Type | Required | Description |
|---|---|---|---|
kind | string | Yes | Resource kind (e.g. Pod, Node) |
name | string | Yes | Resource name |
namespace | string | No | Namespace (for namespaced resources) |
spec.actionLimits
Restricts which action types are allowed and caps experiment duration.
| Field | Type | Required | Description |
|---|---|---|---|
allowedActions | []string | No | Allowed action types (empty = all allowed) |
maxDuration | Duration | No | Maximum experiment duration |
spec.timeWindows
Controls when experiments can run using cron expressions.
| Field | Type | Description |
|---|---|---|
allowed | []TimeWindow | Experiments can only run during these windows |
blocked | []TimeWindow | Experiments are blocked during these windows |
Blocked windows take precedence over allowed windows.
TimeWindow
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Window name |
schedule | string | Yes | 5-field cron expression (e.g. "0 9 * * 1-5") |
duration | string | Yes | Window duration (e.g. 8h, 30m) |
timezone | string | Yes | IANA timezone (e.g. UTC, America/New_York) |
Cron format: minute hour day-of-month month day-of-week
The 7-step evaluation chain
When an experiment is created or updated, the webhook evaluates it against all applicable policies in order:
- Namespace scope - Is the target namespace in
spec.scope.namespaces? - Label scope - Does the target match
spec.scope.labelSelector? - Action type - Is the action in
spec.actionLimits.allowedActions? - Max targets - Would the experiment exceed
spec.targetLimits.maxTargets? - Max percentage - Would the experiment exceed
spec.targetLimits.maxPercentage? - Time windows - Is the current time in an allowed window and not in a blocked window?
- Enforcement - If
Audit, log and allow. IfEnforce, reject.
Multiple policies
Multiple policies can apply to the same experiment. All policies are evaluated, and the experiment is blocked if any one rejects it.
Printer columns
NAME ENFORCEMENT MAX TARGETS AGE
production-guardrails Enforce 2 1d