Merge pull request #7 from SQxiaoxiaomeng/chaos-palybook

add namespace delete scenario

Author: tangcong

README.md

@@ -62,7 +62,7 @@ Using `kube-apiserver overload` as an example:
 
 - Create kube-apiserver overload workflow:
 ```bash
-kubectl create -f playbook/rabc.yaml && kubectl create -f playbook/all-in-one-template.yaml && kubectl create -f playbook/workflow/apiserver-overload-scenario.yaml
+kubectl create -f playbook/rbac.yaml && kubectl create -f playbook/all-in-one-template.yaml && kubectl create -f playbook/workflow/apiserver-overload-scenario.yaml
 ```
 
 ![apiserver overload flowchart](./playbook/docs/chaos-flowchart-en.png)
@@ -91,7 +91,7 @@ kubectl delete workflow {workflow-name}
 | etcd overload (ReadCache/Consistent cache) |   -      | Completed   |      -          | Add Etcd Overload Protect Policy, Simulate etcd high load       |
 | coredns outage                             |   -      | Completed   |      -          | Simulate coredns service outage                                 |
 | kubernetes-proxy outage                    |   -      | Completed   |      -          | Simulate kubernetes-proxy outage                                |
-| accidental deletion scenario               |  P0      | In Progress |  2025-05-30     | Simulate accidental resource deletion                           |
+| accidental deletion scenario               |   -      | Completed   |      -          | Simulate accidental resource deletion                           |
 | kube-apiserver outage                      |  P0      | In Progress |  2025-06-15     | Simulate kube-apiserver outage                                  |
 | etcd outage                                | P0       | In Progress |  2025-06-15     | Simulate etcd cluster failure                                   |
 | kube-scheduler outage                      | P0       | In Progress |  2025-06-15     | Test scheduling behavior during scheduler failure               |

README_zh.md

@@ -62,15 +62,15 @@ kubectl exec -it -n tke-chaos-test deployment/tke-chaos-argo-workflows-server --
 
 - 创建`kube-apiserver`高负载故障演练`workflow`：
 ```bash
-kubectl create -f playbook/rabc.yaml && kubectl create -f playbook/all-in-one-template.yaml && kubectl create -f playbook/workflow/apiserver-overload-scenario.yaml
+kubectl create -f playbook/rbac.yaml && kubectl create -f playbook/all-in-one-template.yaml && kubectl create -f playbook/workflow/apiserver-overload-scenario.yaml
 ```
 
 ![apiserver高负载演练流程图](./playbook/docs/chaos-flowchart-zh.png)
 
 
 **核心流程说明**
 
-- **演练配置**：在开始执行演练前，您可能需要配置一些演练参数，如配置`webhook-url`参数配置企微群通知，参数均提供了默认值，您可以在不修改任何参数的情况下执行演练。各演练场景参数说明见[演练场景参数配置说明](playbook/README.md)
+- **演练配置**：在开始执行演练前，您可能需要配置一些演练参数，如配置`webhook-url`参数配置企微群通知，参数均提供了默认值，您可以在不修改任何参数的情况下执行演练。各演练场景参数说明见[演练场景参数配置说明](playbook/README_zh.md)
 - **演练前校验**：开始执行演练之前，会对`目标集群`做健康检查校验，检查演练集群中的`Node`和`Pod`的健康比例，低于阈值将不允许演练，您可以通过修改，`precheck-pods-health-ratio`和`precheck-nodes-health-ratio`参数调整阈值。同时会校验`目标集群`中是否存在`tke-chaos-test/tke-chaos-precheck-resource ConfigMap`，如不存在将不允许演练。
 - **执行演练**：`kube-apiserver`高负载演练执行过程中，会对`目标集群`的`kube-apiserver`发起大量的洪泛`List Pod`请求，以模拟`kube-apiserver`高负载场景，您可以访问`腾讯云TKE控制台`的`目标集群`核心组件监控，查看`kube-apiserver`的负载情况。同时，您应该关注演练过程中您的业务Pod的健康状态，以验证`kube-apiserver`高负载是否会影响您的业务。
 - **演练结果**：您可以访问`Argo Server UI`查看演练结果（推荐），您也可以执行`kubectl describe workflow {workflow-name}`查看演练结果。
@@ -92,15 +92,14 @@ kubectl delete worflow {workflow-name}
 | etcd高负载演练(增加etcd过载保护策略)      |   -   |      完成     |      -       | 增加etcd过载保护策略，并模拟etcd服务高负载                         |
 | coredns停服                    |   -   |      完成     |      -       | 模拟coredns服务中断场景                                   |
 | kubernetes-proxy停服           |   -   |      完成     |      -       | 模拟kubernetes-proxy服务中断场景                          |
-| 资源误删除场景                      |  P0   |    开发中     |  2025-05-30  | 模拟资源被误删除场景                                        |
+| 资源误删除场景                      |  -   |    完成     |      -       | 模拟资源被误删除场景                                        |
 | kube-apiserver停服演练           |  P0   |    开发中     |  2025-06-15  | 模拟kube-apiserver服务中断场景                            |
 | etcd停服演练                     | P0    |    开发中     |  2025-06-15  | 模拟etcd集群故障场景                                      |
 | kube-scheduler停服演练           | P0    |    开发中     |  2025-06-15  | 测试调度器故障期间的集群调度行为                                  |
 | kube-controller-manager停服演练  | P0    |    开发中     |  2025-06-15  | 验证控制器组件故障场景                                       |
 | cloud-controller-manager停服演练 | P0    |    开发中     |  2025-06-15  | 验证控制器组件故障场景                                       |
 | master节点停机                   | P1    |    开发中     |  2025-06-15  | 模拟master关机场景                                      |
 
-
 ## 常见问题
 1. 为什么要用两个集群来执行演练测试?
 

playbook/README.md

@@ -83,6 +83,23 @@ This scenario simulates kubernetes-proxy service disruption by:
 | `disruption-duration` | `string` | `30s` | Disruption duration (e.g. 30s, 5m) |
 | `kubeconfig-secret-name` | `string` | `dest-cluster-kubeconfig` | Target cluster kubeconfig secret name |
 
+## Namespace Deletion Protection
+
+**playbook**: `workflow/namespace-delete-scenario.yaml`
+
+This scenario tests Tencent Cloud TKE's namespace deletion block policy with the following workflow:
+- **Create namespace deletion block policy**: Create a namespace deletion constraint policy to prevent deletion of namespaces containing Pods
+- **Create test resources**: Creates test namespace `tke-chaos-ns-76498` and Pod
+- **Verify protection**: Attempts to delete namespace with Pod to verify protection works
+- **Cleanup**: Deletes Pod first, then namespace, and finally removes namespace deletion block policy
+
+**Parameters**
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `kubeconfig-secret-name` | `string` | `dest-cluster-kubeconfig` | Target cluster kubeconfig secret name |
+
+Tencent Cloud TKE supports various resource protection policies, such as CRD deletion protection, PV deletion protection, etc. You can refer to the official Tencent Cloud documentation for more details: [Policy Management](https://cloud.tencent.com/document/product/457/103179)
+
 ## TKE Self-maintenance of Master cluster's kube-apiserver Disruption
 TODO
 

playbook/README_zh.md

@@ -83,6 +83,23 @@
 | `disruption-duration` | `string` | `30s` | 服务中断持续时间(如30s，5m等) |
 | `kubeconfig-secret-name` | `string` | `dest-cluster-kubeconfig` | `目标集群kubeconfig secret`名称，如为空，则演练当前集群 |
 
+## 命名空间删除防护
+
+**playbook**：`workflow/namespace-delete-scenario.yaml`
+
+该场景测试腾讯云TKE集群的命名空间删除防护策略功能，主要流程包括：
+- **创建保护策略**：创建命名空间删除约束策略，防止删除包含 Pod 的命名空间
+- **创建测试资源**：创建测试命名空间 `tke-chaos-ns-76498` 和 Pod
+- **验证保护机制**：尝试删除包含 Pod 的命名空间，验证保护策略是否生效
+- **清理测试资源**：先删除 Pod 后再删除命名空间，最后移除保护策略
+
+**参数说明**
+| 参数名称 | 类型 | 默认值 | 说明 |
+|---------|------|--------|------|
+| `kubeconfig-secret-name` | `string` | `dest-cluster-kubeconfig` | 目标集群 kubeconfig secret 名称，如为空，则演练当前集群 |
+
+腾讯云TKE支持大量的资源防护策略，如`CRD`删除保护、`PV`删除保护等，您可以访问腾讯云官方文档以查看详细信息[策略管理](https://cloud.tencent.com/document/product/457/103179)
+
 ## TKE Master自维护集群kube-apiserver停服
 TODO
 

playbook/workflow/namespace-delete-scenario.yaml

@@ -0,0 +1,144 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Workflow
+metadata:
+  name: block-namespace-deletion-scenario
+  namespace: tke-chaos-test
+spec:
+  entrypoint: main
+  serviceAccountName: tke-chaos
+  arguments:
+    parameters:
+    - name: kubeconfig-secret-name
+      value: "dest-cluster-kubeconfig"
+    - name: block-namespace-deletion-manifest
+      value: |
+        apiVersion: constraints.gatekeeper.sh/v1beta1
+        kind: BlockNamespaceDeletion
+        metadata:
+          name: tke-chaos-test
+        spec:
+          enforcementAction: deny
+          match:
+            kinds:
+            - apiGroups:
+              - '*'
+              kinds:
+              - Namespace
+    - name: pod-manifest
+      value: |
+        apiVersion: v1
+        kind: Pod
+        metadata:
+          name: pod-76498
+          namespace: tke-chaos-ns-76498
+          labels:
+            pod-name: pod-76498
+        spec:
+          nodeSelector:
+            kubernetes.io/hostname: non-existent-node-3060282720
+          tolerations:
+          - key: node.kubernetes.io/unreachable
+            operator: Exists
+            effect: NoSchedule
+          containers:
+          - name: busybox
+            image: busybox:1.37.0
+            command: ["sleep", "3600"]
+          restartPolicy: Never
+  templates:
+  - name: main
+    steps:
+    - - name: create-block-namespace-deletion
+        arguments:
+          parameters:
+          - name: action
+            value: "create"
+          - name: manifest
+            value: "{{workflow.parameters.block-namespace-deletion-manifest}}"
+          - name: kubeconfig-secret-name
+            value: "{{workflow.parameters.kubeconfig-secret-name}}"
+        templateRef:
+          name: kubectl-cmd
+          template: kubectl-mutating-cmd
+          clusterScope: true
+    - - name: create-namespace
+        arguments:
+          parameters:
+          - name: cmd
+            value: "create namespace tke-chaos-ns-76498"
+          - name: kubeconfig-secret-name
+            value: "{{workflow.parameters.kubeconfig-secret-name}}"
+        templateRef:
+          name: kubectl-cmd
+          template: kubectl-cmd
+          clusterScope: true
+    - - name: create-pod-in-namespace
+        arguments:
+          parameters:
+          - name: action
+            value: "create"
+          - name: manifest
+            value: "{{workflow.parameters.pod-manifest}}"
+          - name: kubeconfig-secret-name
+            value: "{{workflow.parameters.kubeconfig-secret-name}}"
+        templateRef:
+          name: kubectl-cmd
+          template: kubectl-mutating-cmd
+          clusterScope: true
+    - - name: delete-namespace-with-pod-in-namespace
+        continueOn:
+          failed: true
+          error: true
+        arguments:
+          parameters:
+          - name: cmd
+            value: "delete namespace tke-chaos-ns-76498"
+          - name: kubeconfig-secret-name
+            value: "{{workflow.parameters.kubeconfig-secret-name}}"
+        templateRef:
+          name: kubectl-cmd
+          template: kubectl-cmd
+          clusterScope: true
+    # - - name: suspend
+    #     template: suspend
+    - - name: delete-pod-in-namespace
+        arguments:
+          parameters:
+          - name: action
+            value: "delete"
+          - name: manifest
+            value: "{{workflow.parameters.pod-manifest}}"
+          - name: kubeconfig-secret-name
+            value: "{{workflow.parameters.kubeconfig-secret-name}}"
+        templateRef:
+          name: kubectl-cmd
+          template: kubectl-mutating-cmd
+          clusterScope: true
+    - - name: delete-namespace-without-pod-in-namespace
+        arguments:
+          parameters:
+          - name: cmd
+            value: "delete namespace tke-chaos-ns-76498"
+          - name: kubeconfig-secret-name
+            value: "{{workflow.parameters.kubeconfig-secret-name}}"
+        templateRef:
+          name: kubectl-cmd
+          template: kubectl-cmd
+          clusterScope: true
+    - - name: delete-block-namespace-deletion
+        arguments:
+          parameters:
+          - name: action
+            value: "delete"
+          - name: manifest
+            value: "{{workflow.parameters.block-namespace-deletion-manifest}}"
+          - name: kubeconfig-secret-name
+            value: "{{workflow.parameters.kubeconfig-secret-name}}"
+        templateRef:
+          name: kubectl-cmd
+          template: kubectl-mutating-cmd
+          clusterScope: true
+
+  - name: suspend
+    suspend: {}