For AI agents: a documentation index is available at https://www.mongodb.com/docs/llms.txt — markdown versions of all pages are available by appending .md to any URL path.
The MongoDB Enterprise Kubernetes Operator is deprecated. The new MongoDB Controllers for Kubernetes Operator replaces the MongoDB Enterprise Kubernetes Operator. The first version of the Controllers for Kubernetes Operator is functionally equivalent to v1.33 of the Enterprise Kubernetes Operator. For more information about this change, and guidance on migrating to the new Operator, see the release notes for the first new version. There will be no future releases of the MongoDB Enterprise Kubernetes Operator. Each version will reach end of life according to the existing one year support policy. Please migrate to the Controllers for Kubernetes Operator for continued support.
Objects in the Kubernetes Operator configuration use default permissions. These are the minimum permissions for the Kubernetes Operator to deploy and manage Ops Manager and MongoDB resources in a Kubernetes cluster.
Default Permissions for Kubernetes Operator Objects
Use the following chart to verify that the objects in your Kubernetes Operator configuration have access to the required Kubernetes API verbs:
Kubernetes Resources
API Verbs
Configmaps
Require the following permissions:
get, list, watch. The Kubernetes Operator reads the organization and project data from the specified configmap.
create, update. The Kubernetes Operator creates and updates configmap objects for configuring the Application Database instances.
delete. The Kubernetes Operator needs the deleteconfigmap permission to support its older versions. This permission will be deleted when older versions reach their End of Life Date.
Secrets
Require the following permissions:
get, list, watch. The Kubernetes Operator reads secret objects to retrieve sensitive data, such as TLS or X.509 access information. For example, it reads the credentials from a secret object to connect to the Ops Manager.
create, update. The Kubernetes Operator creates secret objects holding TLS or X.509 access information.
delete. The Kubernetes Operator deletes secret objects (containing passwords) related to the Application Database.
Services
Require the following permissions:
get, list, watch. The Kubernetes Operator reads and watches MongoDB services. For example, to communicate with the Ops Manager service, the Kubernetes Operator needs get, list and watch permissions to use the Ops Manager service's URL.
create, update. To communicate with services, the Kubernetes Operator creates and updates service objects corresponding to Ops Manager and MongoDB custom resources.
StatefulSets
Require the following permissions:
get, list, watch. The Kubernetes Operator reacts to the changes in the StatefulSets it creates for the MongoDB custom resources. It also reads the fields of the StatefulSets it manages.
create, update. The Kubernetes Operator creates and updates StatefulSets corresponding to the mongoDB custom resources.
delete. The Kubernetes Operator needs permissions to delete the StatefulSets when you delete the MongoDB custom resource.
Pods
Require the following permissions:
get, list, watch. The Kubernetes Operator queries the Application Database Pods to get information about its state.
Namespaces
Require the following permissions:
list, watch. When you run the Kubernetes Operator in the cluster-wide mode, it needs list and watch permissions to all namespaces for the MongoDB custom resources.