Navigation

Set Scope for MongoDB Enterprise Kubernetes Operator Deployment

Before you install the Kubernetes Operator, you can set the scope of the Kubernetes Operator deployment. The scopes depend on the namespaces in which you choose to deploy Ops Manager and MongoDB Kubernetes resources.

Kubernetes Operator Deployment Scopes

You can set one of these scopes:

Operator Uses Same Namespace as Resources

You can set the scope for the Kubernetes Operator to use the same namespace as resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB Kubernetes resources in that same namespace.

When you install the Kubernetes Operator, it uses the default namespace.

Operator Uses Different Namespace than Resources

You can set the scope for the Kubernetes Operator to use a different namespace than its resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB Kubernetes resources in a namespace that you specify.

You can use helm to install the Kubernetes Operator with this scope. Follow the relevant installation instructions for helm, but use the following command to set the namespace for the Kubernetes Operator to watch:

helm install <chart-name> helm_chart \
     --set operator.watchNamespace=<namespace> \

Setting the namespace ensures that:

  • The namespace you want the Kubernetes Operator to watch has the correct ClusterRole and ClusterRoleBinding. The clusterRole and clusterRoleBinding are included in the default configuration files that you apply during the installation. To create the clusterRole and clusterRoleBinding, you must have cluster-admin privileges.
  • The Kubernetes Operator can watch and create resources in this namespace.

Operator Uses Cluster-Wide Scope

You can set the scope for the Kubernetes Operator to the Kubernetes cluster. In this case, the Kubernetes Operator watches Ops Manager and MongoDB Kubernetes resources in all namespaces in the Kubernetes cluster.

Important

You can deploy only one instance of the Kubernetes Operator with a cluster-wide scope per Kubernetes cluster.

To set a cluster-wide scope for the Kubernetes Operator, follow the instructions for your preferred installation method.

Before you deploy the Kubernetes Operator, configure the following items:

  1. Use the mongodb-enterprise.yaml sample YAML file from the MongoDB Enterprise Kubernetes Operator GitHub repository.

  2. Set the spec.template.spec.containers.name.env.name:WATCH_NAMESPACE in mongodb-enterprise.yaml to *.

  3. In mongodb-enterprise.yaml, change:

    kind:  Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: mongodb-enterprise-operator
    

    to:

    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: mongodb-enterprise-operator
    
  4. Add the following code to the ClusterRole that you have just modified:

    - apiGroups:
      - ""
      resources:
      - namespaces
      verbs:
      - list
      - watch
    
  5. In mongodb-enterprise.yaml, change:

    kind:  RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: mongodb-enterprise-operator
     namespace: mongodb
    roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
     name: mongodb-enterprise-operator
    subjects:
     - kind: ServiceAccount
     name: mongodb-enterprise-operator
     namespace: mongodb
    

    to:

    kind:  ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: mongodb-enterprise-operator
     namespace: mongodb
    roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: mongodb-enterprise-operator
    subjects:
     - kind: ServiceAccount
     name: mongodb-enterprise-operator
     namespace: mongodb
    
  6. Create all required local Kubernetes service accounts and secrets.

  7. In the following sample YAML file, replace <namespace> with the namespace in which you want the Kubernetes Operator to deploy resources.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    ---
    kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: mongodb-enterprise-appdb
      namespace: <namespace>
    ---
    kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: mongodb-enterprise-database-pods
      namespace: <namespace>
    ---
    kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: mongodb-enterprise-ops-manager
      namespace: <namespace>
    ---
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: mongodb-enterprise-appdb
      namespace: <namespace>
    rules:
      - apiGroups:
          - ""
        resources:
          - secrets
        verbs:
          - get
      - apiGroups:
          - ""
        resources:
          - pods
        verbs:
          - patch
    ---
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: mongodb-enterprise-appdb
      namespace: <namespace>
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: mongodb-enterprise-appdb
    subjects:
      - kind: ServiceAccount
        name: mongodb-enterprise-appdb
        namespace: <namespace>
    ...
    

Before you deploy the Kubernetes Operator, configure the following items:

  1. Configure the Kubernetes Operator to watch all namespaces:

    helm install <chart-name> helm_chart \
    --set operator.watchNamespace=*
    
  2. Create the required service accounts for each namespace where you want to deploy Ops Manager and MongoDB Kubernetes resources:

    helm template --set namespace=<namespace> \
    helm_chart --show-only templates/database-roles.yaml | kubectl
    apply -f -
    

Before you deploy the Kubernetes Operator, configure the following items:

  1. Use the mongodb-enterprise-openshift.yaml sample YAML file from the MongoDB Enterprise Kubernetes Operator GitHub repository.

  2. Set the spec.template.spec.containers.name.env.name:WATCH_NAMESPACE in mongodb-enterprise-openshift.yaml to *.

  3. In mongodb-enterprise-openshift.yaml, change:

    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: enterprise-operator
    

    to:

    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: enterprise-operator
    
  4. Add the following code to the ClusterRole that you have just modified:

    - apiGroups:
      - ""
      resources:
      - namespaces
      verbs:
      - list
      - watch
    
  5. In mongodb-enterprise-openshift.yaml, change:

    kind:  RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: enterprise-operator
     namespace: mongodb
    roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
     name: enterprise-operator
    subjects:
     - kind: ServiceAccount
     name: enterprise-operator
     namespace: mongodb
    

    to:

    kind:  ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: enterprise-operator
     namespace: mongodb
    roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: enterprise-operator
    subjects:
     - kind: ServiceAccount
     name: enterprise-operator
     namespace: mongodb
    
  6. Create all required local Kubernetes service accounts and secrets.

  7. In the following sample YAML file, replace <namespace> with the namespace in which you want the Kubernetes Operator to deploy resources. Use oc or the OpenShift Container Platform user interface to apply the resulting YAML file.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    ---
    kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: mongodb-enterprise-appdb
      namespace: <namespace>
    ---
    kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: mongodb-enterprise-database-pods
      namespace: <namespace>
    ---
    kind: ServiceAccount
    apiVersion: v1
    metadata:
      name: mongodb-enterprise-ops-manager
      namespace: <namespace>
    ---
    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: mongodb-enterprise-appdb
      namespace: <namespace>
    rules:
      - apiGroups:
          - ""
        resources:
          - secrets
        verbs:
          - get
      - apiGroups:
          - ""
        resources:
          - pods
        verbs:
          - patch
    ---
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: mongodb-enterprise-appdb
      namespace: <namespace>
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: mongodb-enterprise-appdb
    subjects:
      - kind: ServiceAccount
        name: mongodb-enterprise-appdb
        namespace: <namespace>
    ...
    

Before you deploy the Kubernetes Operator, configure the following items:

  1. Configure the Kubernetes Operator to watch all namespaces:

    helm install <chart-name> helm_chart \
    --set operator.watchNamespace=* \
    --values helm_chart/values-openshift.yaml
    
  2. Create the required service accounts for each namespace where you want to deploy Ops Manager and MongoDB Kubernetes resources:

    helm template --set namespace=<namespace> \
    helm_chart --show-only templates/database-roles.yaml | oc
    apply -f -
    

Next Steps

After setting up the scope for the MongoDB Enterprise Kubernetes Operator, you can: