• Install and Configure the Kubernetes Operator >
• Plan your MongoDB Enterprise Kubernetes Operator Installation >
• Set Scope for MongoDB Enterprise Kubernetes Operator Deployment

Set Scope for MongoDB Enterprise Kubernetes Operator Deployment

Before you install the Kubernetes Operator, you can set the scope of the Kubernetes Operator deployment. The scopes depend on the namespaces in which you choose to deploy Ops Manager and MongoDB Kubernetes resources.

Kubernetes Operator Deployment Scopes

You can set one of these scopes:

• Operator Uses the Same Single Namespace as Resources (Default)
• Operator Uses a Subset of Namespaces
• Operator Uses Cluster-Wide Scope

Operator Uses the Same Single Namespace as Resources

You can set the scope for the Kubernetes Operator to use the same namespace as resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB Kubernetes resources in that same namespace.

When you install the Kubernetes Operator, it uses the default namespace.

Operator Uses a Subset of Namespaces

You can set the scope for the Kubernetes Operator to use one or more namespaces that differ from the namespace used by the Kubernetes Operator resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB Kubernetes resources in a subset of namespaces that you specify.

To install the Kubernetes Operator instances with this scope, use helm with the operator.watchNamespace parameter.

Watching a subset of namespaces is useful in deployments with multiple Kubernetes Operator instances, where each Kubernetes Operator instance watches a different subset of namespaces in your cluster.

Follow the relevant installation instructions for helm, but specify one or more namespaces in the operator.watchNamespace parameter for the Kubernetes Operator to watch:

Example

copy

# Watch one namespace
helm install enterprise-operator mongodb/enterprise-operator \
  --set operator.watchNamespace='namespace-to-watch' <...>

Example

copy

# Watch both namespace-a and namespace-b
helm install enterprise-operator mongodb/enterprise-operator \
  --set operator.watchNamespace="namespace-a\,namespace-b"

Example

copy

# Operator with name `mongodb-enterprise-operator-qa-envs` will
# watch ns-dev, ns-qa and ns-uat namespaces

helm install mongodb-enterprise-operator-qa-envs mongodb/enterprise-operator \
  --set operator.watchNamespace="ns-dev\,ns-qa\,ns-uat"

Example

copy

# Operator with name `mongodb-enterprise-operator-staging` will
# watch ns-staging and ns-pre-prod
helm install mongodb-operator helm-chart --set operator.watchNamespace="ns-staging\,ns-pre-prod" mongodb-enterprise-operator-staging

When installing the Kubernetes Operator to watch resources in one or more namespaces other than the namespace in which the Kubernetes Operator is deployed:

1. Create the following resources:
   • A ClusterRole with access to multiple resources. For the full resource definition, see the operator-roles.yaml example. This is a cluster-scoped resource.
   • Create a ClusterRoleBinding to link ClusterRole with ServiceAccount. This clusterRoleBinding will bind the clusterRole that you created with the ServiceAccount that the Kubernetes Operator is using on the namespace where you install it.
2. Include the ClusterRole and ClusterRoleBinding in the default configuration files that you apply during the installation.

The following example illustrates how the ClusterRole and ClusterRoleBinding work together in the cluster.

Suppose you create a ServiceAccount in the mongodb namespace, and then install the Kubernetes Operator in this namespace. The Kubernetes Operator uses this ServiceAccount.

To set the Kubernetes Operator scope to watch namespaces ns1 and ns2:

1. Obtain cluster-admin privileges.
2. Using these privileges, create a cluster-wide, non-namespaced ClusterRole.
3. Create a ClusterRoleBinding in three namespaces: mongodb, ns1 and ns2. This ClusterRoleBinding will bind the ClusterRole to the ServiceAccount in the mongodb namespace. The clusterRoleBinding will allow the Kubernetes Operator deployed in the mongodb namespace to access the resources described in the clusterRole of the target namespace, that is, in mongodb, ns1 and ns2.

See also operator.watchNamespace.

Operator Uses Cluster-Wide Scope

You can set the scope for the Kubernetes Operator to the Kubernetes cluster. In this case, the Kubernetes Operator watches Ops Manager and MongoDB Kubernetes resources in all namespaces in the Kubernetes cluster.

Important

You can deploy only one instance of the Kubernetes Operator with a cluster-wide scope per Kubernetes cluster.

To set a cluster-wide scope for the Kubernetes Operator, follow the instructions for your preferred installation method.

• Kubernetes
• OpenShift

• Using kubectl
• Using Helm

1. Use the mongodb-enterprise.yaml sample YAML file from the MongoDB Enterprise Kubernetes Operator GitHub repository.

2. Set the spec.template.spec.containers.name.env.name:WATCH_NAMESPACE in mongodb-enterprise.yaml to "*". You must include the double quotation marks (") around the asterisk (*) in the YAML file.

   copy

   WATCH_NAMESPACE: "*"
   

3. In mongodb-enterprise.yaml, change:

   copy

   kind:  Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
    name: mongodb-enterprise-operator
   

   to:

   copy

   kind: ClusterRole
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
    name: mongodb-enterprise-operator
   

4. Add the following code to the ClusterRole that you have just modified:

   copy

   - apiGroups:
     - ""
     resources:
     - namespaces
     verbs:
     - list
     - watch
   

5. In mongodb-enterprise.yaml, change:

   copy

   kind:  RoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
    name: mongodb-enterprise-operator
    namespace: mongodb
   roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: mongodb-enterprise-operator
   subjects:
    - kind: ServiceAccount
    name: mongodb-enterprise-operator
    namespace: mongodb
   

   to:

   copy

   kind:  ClusterRoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
    name: mongodb-enterprise-operator
    namespace: mongodb
   roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: mongodb-enterprise-operator
   subjects:
    - kind: ServiceAccount
    name: mongodb-enterprise-operator
    namespace: mongodb
   

6. In the mongodb-enterprise.yaml file, change the <namespace> value to the namespace where you want the Kubernetes Operator to deploy resources and apply the YAML fle.

   copy

   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: mongodb-enterprise-appdb
     namespace: <namespace>
   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: mongodb-enterprise-database-pods
     namespace: <namespace>
   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: mongodb-enterprise-ops-manager
     namespace: <namespace>
   ---
   kind: Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: mongodb-enterprise-appdb
     namespace: <namespace>
   rules:
     - apiGroups:
         - ""
       resources:
         - secrets
       verbs:
         - get
     - apiGroups:
         - ""
       resources:
         - pods
       verbs:
         - patch
   ---
   kind: RoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: mongodb-enterprise-appdb
     namespace: <namespace>
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
     name: mongodb-enterprise-appdb
   subjects:
     - kind: ServiceAccount
       name: mongodb-enterprise-appdb
       namespace: <namespace>
   ...
   

7. Create local Kubernetes service accounts:

   For each namespace, create some or all of the following local Kubernetes service accounts:

   • If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.
   • If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

   Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

   copy

   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
    name: mongodb-enterprise-database-pods
    namespace: <namespace>
   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
    name: mongodb-enterprise-appdb
    namespace: <namespace>
   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
    name: mongodb-enterprise-ops-manager
    namespace: <namespace>
   

Before you deploy the Kubernetes Operator, configure the following items:

1. Configure the Kubernetes Operator to watch all namespaces:

   copy

   helm install enterprise-operator mongodb/enterprise-operator \
     --set operator.watchNamespace="*"
   

2. Create local Kubernetes service accounts:

   For each namespace, create some or all of the following local Kubernetes service accounts:

   • If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.
   • If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

   Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

   copy

   helm template mongodb/enterprise-operator \
     --set namespace=<metadata.namespace>
     --show-only templates/database-roles.yaml | kubectl apply -f -
   

• Using oc
• Using Helm

Before you deploy the Kubernetes Operator, configure the following items:

1. Use the mongodb-enterprise-openshift.yaml sample YAML file from the MongoDB Enterprise Kubernetes Operator GitHub repository.

2. Set the spec.template.spec.containers.name.env.name:WATCH_NAMESPACE in mongodb-enterprise-openshift.yaml to "*". You must include the double quotation marks (") around the asterisk (*) in the YAML file.

   copy

   WATCH_NAMESPACE: "*"
   

3. Create the corresponding roles for these accounts. In mongodb-enterprise-openshift.yaml, change:

   copy

   kind: Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
    name: enterprise-operator
   

   to:

   copy

   kind: ClusterRole
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
    name: enterprise-operator
   

4. Add the following code to the ClusterRole that you have just modified:

   copy

   - apiGroups:
     - ""
     resources:
     - namespaces
     verbs:
     - list
     - watch
   

5. In mongodb-enterprise-openshift.yaml, change:

   copy

   kind:  RoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
    name: enterprise-operator
    namespace: mongodb
   roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: enterprise-operator
   subjects:
    - kind: ServiceAccount
    name: enterprise-operator
    namespace: mongodb
   

   to:

   copy

   kind:  ClusterRoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
    name: enterprise-operator
    namespace: mongodb
   roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: enterprise-operator
   subjects:
    - kind: ServiceAccount
    name: enterprise-operator
    namespace: mongodb
   

6. Create the secret only in the namespace where you will deploy the Kubernetes Operator. If you deploy MongoDB resources in multiple namespaces or with a cluster-wide scope, the Kubernetes Operator synchronizes the secret across all watched namespaces. To learn more, see the registry.imagePullSecrets setting in the Helm installation settings.

   In the mongodb-enterprise.yaml file, replace <namespace> with the namespace in which you want to install the Kubernetes Operator. Use oc or the OpenShift Container Platform UI to apply the resulting YAML file.

   copy

   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: mongodb-enterprise-appdb
     namespace: <namespace>
   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: mongodb-enterprise-database-pods
     namespace: <namespace>
   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: mongodb-enterprise-ops-manager
     namespace: <namespace>
   ---
   kind: Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: mongodb-enterprise-appdb
     namespace: <namespace>
   rules:
     - apiGroups:
         - ""
       resources:
         - secrets
       verbs:
         - get
     - apiGroups:
         - ""
       resources:
         - pods
       verbs:
         - patch
   ---
   kind: RoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: mongodb-enterprise-appdb
     namespace: <namespace>
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
     name: mongodb-enterprise-appdb
   subjects:
     - kind: ServiceAccount
       name: mongodb-enterprise-appdb
       namespace: <namespace>
   ...
   

7. Create local Kubernetes service accounts:

   For each namespace, create some or all of the following local Kubernetes service accounts:

   • If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.
   • If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

   Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

Before you deploy the Kubernetes Operator, configure the following items:

1. Configure the Kubernetes Operator to watch all namespaces:

   copy

   helm install enterprise-operator mongodb/enterprise-operator \
     --set operator.watchNamespace="*" \
   

2. Create the secret only in the namespace where you will deploy the Kubernetes Operator. If you deploy MongoDB resources in multiple namespaces or with a cluster-wide scope, the Kubernetes Operator synchronizes the secret across all watched namespaces. To learn more, see the registry.imagePullSecrets setting in the Helm installation settings.

   In the mongodb-enterprise.yaml file, replace <namespace> with the namespace in which you want to install the Kubernetes Operator. Use oc or the OpenShift Container Platform UI to apply the resulting YAML file.

   copy

   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: mongodb-enterprise-appdb
     namespace: <namespace>
   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: mongodb-enterprise-database-pods
     namespace: <namespace>
   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: mongodb-enterprise-ops-manager
     namespace: <namespace>
   ---
   kind: Role
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: mongodb-enterprise-appdb
     namespace: <namespace>
   rules:
     - apiGroups:
         - ""
       resources:
         - secrets
       verbs:
         - get
     - apiGroups:
         - ""
       resources:
         - pods
       verbs:
         - patch
   ---
   kind: RoleBinding
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: mongodb-enterprise-appdb
     namespace: <namespace>
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
     name: mongodb-enterprise-appdb
   subjects:
     - kind: ServiceAccount
       name: mongodb-enterprise-appdb
       namespace: <namespace>
   ...
   

3. Create local Kubernetes service accounts:

   For each namespace, create some or all of the following local Kubernetes service accounts:

   • If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.
   • If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

   Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

   copy

   helm template mongodb/enterprise-operator \
     --set namespace=<metadata.namespace>
     --show-only templates/database-roles.yaml | oc apply -f -
   

Next Steps

After setting up the scope for the MongoDB Enterprise Kubernetes Operator, you can:

• Read the Considerations.
• Complete the Prerequisites.
• Install the Kubernetes Operator.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.