Docs Menu

Docs HomeMongoDB Enterprise Kubernetes Operator

Set Scope for MongoDB Enterprise Kubernetes Operator Deployment

On this page

  • Kubernetes Operator Deployment Scopes
  • Next Steps

Before you install the Kubernetes Operator, you can set the scope of the Kubernetes Operator deployment. The scopes depend on the namespaces in which you choose to deploy Ops Manager and MongoDB resources.

You can set one of these scopes:

  • Operator Uses the Same Single Namespace as Resources (Default)

  • Operator Uses a Subset of Namespaces

  • Operator Uses Cluster-Wide Scope

You can set the scope for the Kubernetes Operator to use the same namespace as resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB resources in that same namespace.

When you install the Kubernetes Operator, it uses the default namespace.

You can set the scope for the Kubernetes Operator to use one or more namespaces that differ from the namespace used by the Kubernetes Operator resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB resources in a subset of namespaces that you specify.

To install the Kubernetes Operator instances with this scope, use helm with the operator.watchNamespace parameter.

Watching a subset of namespaces is useful in deployments where a single Kubernetes Operator instance watches a different cluster resource type. For example, you can configure the Kubernetes Operator to watch MongoDB resources in one subset of namespaces, and to watch MongoDBMultiCluster resources in another subset of namespaces. To avoid race conditions during resource reconciliation, for each custom resource type that you want the Kubernetes Operator to watch, ensure that you set scope to a distinct subset of namespaces.

Follow the relevant installation instructions for helm, but specify one or more namespaces in the operator.watchNamespace parameter for the Kubernetes Operator to watch:

Example

# Watch one namespace
helm install enterprise-operator mongodb/enterprise-operator \
--set operator.watchNamespace='namespace-to-watch' <...>

Example

# Watch both namespace-a and namespace-b
helm install enterprise-operator mongodb/enterprise-operator \
--set operator.watchNamespace="namespace-a\,namespace-b"

Example

# Operator with name `mongodb-enterprise-operator-qa-envs` will
# watch ns-dev, ns-qa and ns-uat namespaces
helm install mongodb-enterprise-operator-qa-envs mongodb/enterprise-operator \
--set operator.watchNamespace="ns-dev\,ns-qa\,ns-uat"

Example

# Operator with name `mongodb-enterprise-operator-staging` will
# watch ns-staging and ns-pre-prod
helm install mongodb-operator helm-chart --set operator.watchNamespace="ns-staging\,ns-pre-prod" mongodb-enterprise-operator-staging

When installing the Kubernetes Operator to watch resources in one or more namespaces other than the namespace in which the Kubernetes Operator is deployed:

  1. Create the following resources:

    • A ClusterRole with access to multiple resources. For the full resource definition, see the operator-roles.yaml example. This is a cluster-scoped resource.

    • Create a ClusterRoleBinding to link ClusterRole with ServiceAccount. This clusterRoleBinding will bind the clusterRole that you created with the ServiceAccount that the Kubernetes Operator is using on the namespace where you install it.

  2. Include the ClusterRole and ClusterRoleBinding in the default configuration files that you apply during the installation.

The following example illustrates how the ClusterRole and ClusterRoleBinding work together in the cluster.

Suppose you create a ServiceAccount in the mongodb namespace, and then install the Kubernetes Operator in this namespace. The Kubernetes Operator uses this ServiceAccount.

To set the Kubernetes Operator scope to watch namespaces ns1 and ns2:

  1. Obtain cluster-admin privileges.

  2. Using these privileges, create a cluster-wide, non-namespaced ClusterRole.

  3. Create a ClusterRoleBinding in three namespaces: mongodb, ns1 and ns2. This ClusterRoleBinding will bind the ClusterRole to the ServiceAccount in the mongodb namespace. The clusterRoleBinding will allow the Kubernetes Operator deployed in the mongodb namespace to access the resources described in the clusterRole of the target namespace, that is, in mongodb, ns1 and ns2.

See also operator.watchNamespace.

You can set the scope for the Kubernetes Operator to the Kubernetes cluster. In this case, the Kubernetes Operator watches Ops Manager and MongoDB resources in all namespaces in the Kubernetes cluster.

Important

You can deploy only one instance of the Kubernetes Operator with a cluster-wide scope per Kubernetes cluster.

To set a cluster-wide scope for the Kubernetes Operator, follow the instructions for your preferred installation method.

After setting up the scope for the MongoDB Enterprise Kubernetes Operator, you can: