/ /

Custom Resources

Docs Home

Management

Atlas Kubernetes Operator

Custom Resources

Docs Home

Management

Atlas Kubernetes Operator

Custom Resources

`AtlasCustomRole` Custom Resource

Important

Legacy subresources are deprecated as of the release of their corresponding CRDs. If your configuration currently relies on the subresource form of this resource definition, migrate to a CRD.

The AtlasCustomRole custom resource defines a custom database role to allocate privileges to your database users.

To create this custom role within a given project, you must either:

Reference the AtlasProject Custom Resource name in the AtlasCustomRole custom resource, for projects you manage with Atlas Kubernetes Operator
Reference the project ID of your Atlas project in the AtlasCustomRole custom resource, for projects you don't manage with Atlas Kubernetes Operator

Important

Custom Resources No Longer Delete Objects by Default

Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an AtlasProject Custom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.
Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator.

Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a READY state. For example, explicitly defining your desired autoscaling behavior in your AtlasDeployment custom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.

autoScaling:
  diskGB:
    enabled: true
  compute:
    enabled: true
    scaleDownEnabled: true
    minInstanceSize: M30
    maxInstanceSize: M40

Atlas Kubernetes Operator does one of the following actions using the Atlas Custom Database Role API Resource:

Creates a new custom database role.
Updates an existing custom database role.

Examples

Basic Example

The following example shows an AtlasCustomRole custom resource that defines the shard-operator custom role, with privileges for backing up and monitoring sharded clusters within the my-project project.

apiVersion: atlas.mongodb.com/v1
kind: AtlasCustomRole
metadata:
  name: shard-operator-role
  namespace: mongodb-atlas-system
  labels:
    mongodb.com/atlas-reconciliation-policy: keep
spec:
  projectRef:
    name: my-project
    namespace: my-operator-namespace
  role:
    name: my-role
      actions:
      - name: getShardMap
        resources:
          cluster: true
      - name: shardingState
        resources:
          cluster: true
      - name: connPoolStats
        resources:
          cluster: true
      - name: getLog
        resources:
          cluster: true
      inheritedRoles:
      - name: operator-role-1
        role: backup

Independent CRD Example

The following example shows an AtlasCustomRole independent CRD that defines the same shard-operator custom role defined in the Basic Example. This custom resource definition allows you to create this role in a project you don't manage in the same instance of Atlas Kubernetes Operator with which you define this resource. To enable independent operation, you must use an externalProjectRef instead of a projectRef, and you must supply a connectionSecret directly since this resource can't inherit API credentials from its parent project.

apiVersion: atlas.mongodb.com/v1
kind: AtlasCustomRole
metadata:
  name: shard-operator-role
  namespace: mongodb-atlas-system
  labels:
    mongodb.com/atlas-reconciliation-policy: keep
spec:
  externalProjectRef:
    id: 671998971c8520583f24f411
  connectionSecret:
    name: my-atlas-key
  role:
    name: my-role
      actions:
      - name: getShardMap
        resources:
          cluster: true
      - name: shardingState
        resources:
          cluster: true
      - name: connPoolStats
        resources:
          cluster: true
      - name: getLog
        resources:
          cluster: true
      inheritedRoles:
      - name: operator-role-1
        role: backup

Parameters

AtlasCustomRole

AtlasCustomRole is the Schema for the AtlasCustomRole API

`Name`	Type	Description	Required
`apiVersion`	string	atlas.mongodb.com/v1	true
`kind`	string	`AtlasCustomRole`	true
`metadata`	object	Refer to the Kubernetes `API` documentation for the fields of the `metadata` field.	true
`spec`	object	`AtlasCustomRoleSpec` defines the target state of `CustomRole` in Atlas. Validations: (has(self.``externalProjectRef``) && !has(self.``projectRef``)) \|\| (!has(self.``externalProjectRef``) && has(self.``projectRef``)): must define only one project reference through `externalProjectRef` or `projectRef` (has(self.``externalProjectRef``) && has(self.``connectionSecret``)) \|\| !has(self.``externalProjectRef``): must define a local connection secret when referencing an external project	false
`status`	object	`AtlasCustomRoleStatus` is a `status` for the `AtlasCustomRole` Custom resource. Not the one included in the `AtlasProject`	false

AtlasCustomRole.spec

AtlasCustomRoleSpec defines the target state of CustomRole in Atlas.

`Name`	Type	Description	Required
`role`	object	Role represents a Custom Role in Atlas.	true
`connectionSecret`	object	Name of the secret containing Atlas `API` private and public keys.	false
`externalProjectRef`	object	`externalProjectRef` holds the parent Atlas project `ID`. Mutually exclusive with the "`projectRef`" field.	false
`projectRef`	object	`projectRef` is a reference to the parent `AtlasProject` resource. Mutually exclusive with the "`externalProjectRef`" field.	false

AtlasCustomRole.spec.role

Role represents a Custom Role in Atlas.

`Name`	Type	Description	Required
`name`	string	Human-readable label that identifies the role. This `name` must be unique for this custom role in this project.	true
`actions`	[]object	List of the individual privilege `actions` that the role grants.	false
`inheritedRoles`	[]object	List of the built-in roles that this custom role inherits.	false

AtlasCustomRole.spec.role.actions

`Name`	Type	Description	Required
`name`	string	Human-readable label that identifies the privilege action.	true
`resources`	[]object	List of `resources` on which you grant the action.	true

AtlasCustomRole.spec.role.actions.resources

`Name`	Type	Description	Required
`cluster`	boolean	Flag that indicates whether to grant the action on the `cluster` resource. If true, `MongoDB` Cloud ignores Database and Collection parameters.	false
`collection`	string	Human-readable label that identifies the `collection` on which you grant the action to one `MongoDB` user.	false
`database`	string	Human-readable label that identifies the `database` on which you grant the action to one `MongoDB` user.	false

AtlasCustomRole.spec.role.inheritedRoles

`Name`	Type	Description	Required
`database`	string	Human-readable label that identifies the `database` on which someone grants the action to one `MongoDB` user.	true
`name`	string	Human-readable label that identifies the role inherited.	true

AtlasCustomRole.spec.connectionSecret

Name of the secret containing Atlas API private and public keys.

`Name`	Type	Description	Required
`name`	string	Name of the resource being referred to More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names	true

AtlasCustomRole.spec.externalProjectRef

externalProjectRef holds the parent Atlas project ID. Mutually exclusive with the "projectRef" field.

`Name`	Type	Description	Required
`id`	string	`ID` is the Atlas project `ID`.	true

AtlasCustomRole.spec.projectRef

projectRef is a reference to the parent AtlasProject resource. Mutually exclusive with the "externalProjectRef" field.

`Name`	Type	Description	Required
`name`	string	Name of the Kubernetes Resource	true
`namespace`	string	Namespace of the Kubernetes Resource	false

AtlasCustomRole.status

AtlasCustomRoleStatus is a status for the AtlasCustomRole Custom resource. Not the one included in the AtlasProject

`Name`	Type	Description	Required
`conditions`	[]object	Conditions is the list of statuses showing the current state of the Atlas Custom Resource	true
`observedGeneration`	integer	`ObservedGeneration` indicates the generation of the resource specification of which the Atlas Operator is aware. The Atlas Operator updates this field to the value of 'metadata.generation' as soon as it starts reconciliation of the resource. Format: int64	false

AtlasCustomRole.status.conditions

Condition describes the state of an Atlas Custom Resource at a certain point.

`Name`	Type	Description	Required
`status`	string	Status of the condition; one of True, False, Unknown.	true
`type`	string	Type of Atlas Custom Resource condition.	true
`lastTransitionTime`	string	Last time the condition transitioned from one status to another. Represented in `ISO` 8601 format. Format: date-time	false
`message`	string	A `message` providing details about the transition.	false
`reason`	string	The `reason` for the condition's last transition.	false

Back

AtlasBackupSchedule

AtlasIPAccessList