Set Scope for MongoDB Enterprise Kubernetes Operator Deployment

On this page

Kubernetes Operator Deployment Scopes

Next Steps

Before you install the Kubernetes Operator, you can set the scope of the Kubernetes Operator deployment. The scopes depend on the namespaces in which you choose to deploy Ops Manager and MongoDB resources.

Kubernetes Operator Deployment Scopes

You can set one of these scopes:

Operator Uses the Same Single Namespace as Resources (Default)
Operator Uses a Subset of Namespaces
Operator Uses Cluster-Wide Scope

Operator Uses the Same Single Namespace as Resources

You can set the scope for the Kubernetes Operator to use the same namespace as resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB resources in that same namespace.

When you install the Kubernetes Operator, it uses the default namespace.

Operator Uses a Subset of Namespaces

You can set the scope for the Kubernetes Operator to use one or more namespaces that differ from the namespace used by the Kubernetes Operator resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB resources in a subset of namespaces that you specify.

To install the Kubernetes Operator instances with this scope, use helm with the operator.watchNamespace parameter.

Watching a subset of namespaces is useful in deployments where a single Kubernetes Operator instance watches a different cluster resource type. For example, you can configure the Kubernetes Operator to watch MongoDB resources in one subset of namespaces, and to watch MongoDBMultiCluster resources in another subset of namespaces. To avoid race conditions during resource reconciliation, for each custom resource type that you want the Kubernetes Operator to watch, ensure that you set scope to a distinct subset of namespaces.

Follow the relevant installation instructions for helm, but specify one or more namespaces in the operator.watchNamespace parameter for the Kubernetes Operator to watch:

# Watch one namespace
helm install enterprise-operator mongodb/enterprise-operator \
   --set operator.watchNamespace='namespace-to-watch' <...>

# Watch both namespace-a and namespace-b
helm install enterprise-operator mongodb/enterprise-operator \
   --set operator.watchNamespace="namespace-a\,namespace-b"

# Operator with name `mongodb-enterprise-operator-qa-envs` will
# watch ns-dev, ns-qa and ns-uat namespaces
helm install mongodb-enterprise-operator-qa-envs mongodb/enterprise-operator \
   --set operator.watchNamespace="ns-dev\,ns-qa\,ns-uat"

# Operator with name `mongodb-enterprise-operator-staging` will
# watch ns-staging and ns-pre-prod
helm install mongodb-operator helm-chart --set operator.watchNamespace="ns-staging\,ns-pre-prod" mongodb-enterprise-operator-staging

When installing the Kubernetes Operator to watch resources in one or more namespaces other than the namespace in which the Kubernetes Operator is deployed:

Create the following resources:
- A ClusterRole with access to multiple resources. For the full resource definition, see the operator-roles.yaml example. This is a cluster-scoped resource.
- Create a ClusterRoleBinding to link ClusterRole with ServiceAccount. This clusterRoleBinding will bind the clusterRole that you created with the ServiceAccount that the Kubernetes Operator is using on the namespace where you install it.
Include the ClusterRole and ClusterRoleBinding in the default configuration files that you apply during the installation.

The following example illustrates how the ClusterRole and ClusterRoleBinding work together in the cluster.

Suppose you create a ServiceAccount in the mongodb namespace, and then install the Kubernetes Operator in this namespace. The Kubernetes Operator uses this ServiceAccount.

To set the Kubernetes Operator scope to watch namespaces ns1 and ns2:

Obtain cluster-admin privileges.
Using these privileges, create a cluster-wide, non-namespaced ClusterRole.
Create a ClusterRoleBinding in three namespaces: mongodb, ns1 and ns2. This ClusterRoleBinding will bind the ClusterRole to the ServiceAccount in the mongodb namespace. The clusterRoleBinding will allow the Kubernetes Operator deployed in the mongodb namespace to access the resources described in the clusterRole of the target namespace, that is, in mongodb, ns1 and ns2.

Operator Uses Cluster-Wide Scope

You can set the scope for the Kubernetes Operator to the Kubernetes cluster. In this case, the Kubernetes Operator watches Ops Manager and MongoDB resources in all namespaces in the Kubernetes cluster.

Important

You can deploy only one instance of the Kubernetes Operator with a cluster-wide scope per Kubernetes cluster.

To set a cluster-wide scope for the Kubernetes Operator, follow the instructions for your preferred installation method.

Use the mongodb-enterprise.yaml sample YAML file from the MongoDB Enterprise Kubernetes Operator GitHub repository.
Set the spec.template.spec.containers.name.env.name:WATCH_NAMESPACE in mongodb-enterprise.yaml to "*". You must include the double quotation marks (") around the asterisk (*) in the YAML file.
```
WATCH_NAMESPACE: "*"
```

In mongodb-enterprise.yaml, change:

kind:  Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: mongodb-enterprise-operator

to:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: mongodb-enterprise-operator

Add the following code to the ClusterRole that you have just modified:

- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
  - watch

In mongodb-enterprise.yaml, change:

kind:  RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: mongodb-enterprise-operator
 namespace: mongodb
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: Role
 name: mongodb-enterprise-operator
subjects:
 - kind: ServiceAccount
 name: mongodb-enterprise-operator
 namespace: mongodb

to:

kind:  ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: mongodb-enterprise-operator
 namespace: mongodb
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: mongodb-enterprise-operator
subjects:
 - kind: ServiceAccount
 name: mongodb-enterprise-operator
 namespace: mongodb

In the mongodb-enterprise.yaml file, change the <namespace> value to the namespace where you want the Kubernetes Operator to deploy resources and apply the YAML fle.

1 ---
2 kind: ServiceAccount
3 apiVersion: v1
4 metadata:
5   name: mongodb-enterprise-appdb
6   namespace: <namespace>
7 ---
8 kind: ServiceAccount
9 apiVersion: v1
10 metadata:
11   name: mongodb-enterprise-database-pods
12   namespace: <namespace>
13 ---
14 kind: ServiceAccount
15 apiVersion: v1
16 metadata:
17   name: mongodb-enterprise-ops-manager
18   namespace: <namespace>
19 ---
20 kind: Role
21 apiVersion: rbac.authorization.k8s.io/v1
22 metadata:
23   name: mongodb-enterprise-appdb
24   namespace: <namespace>
25 rules:
26   - apiGroups:
27       - ""
28     resources:
29       - secrets
30     verbs:
31       - get
32   - apiGroups:
33       - ""
34     resources:
35       - pods
36     verbs:
37       - patch
38 ---
39 kind: RoleBinding
40 apiVersion: rbac.authorization.k8s.io/v1
41 metadata:
42   name: mongodb-enterprise-appdb
43   namespace: <namespace>
44 roleRef:
45   apiGroup: rbac.authorization.k8s.io
46   kind: Role
47   name: mongodb-enterprise-appdb
48 subjects:
49   - kind: ServiceAccount
50     name: mongodb-enterprise-appdb
51     namespace: <namespace>
52 ...

Create local Kubernetes service accounts:

For each namespace, create some or all of the following local Kubernetes service accounts:

If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.
If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

---
kind: ServiceAccount
apiVersion: v1
metadata:
 name: mongodb-enterprise-database-pods
 namespace: <namespace>
---
kind: ServiceAccount
apiVersion: v1
metadata:
 name: mongodb-enterprise-appdb
 namespace: <namespace>
---
kind: ServiceAccount
apiVersion: v1
metadata:
 name: mongodb-enterprise-ops-manager
 namespace: <namespace>

Before you deploy the Kubernetes Operator, configure the following items:

Configure the Kubernetes Operator to watch all namespaces:

helm install enterprise-operator mongodb/enterprise-operator \
  --set operator.watchNamespace="*"

Create local Kubernetes service accounts:
For each namespace, create some or all of the following local Kubernetes service accounts:
- If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.
- If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.
Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.
```
helm template mongodb/enterprise-operator \
  --set operator.namespace=<metadata.namespace> \
  --show-only templates/database-roles.yaml | kubectl apply -f -
```

Before you deploy the Kubernetes Operator, configure the following items:

Use the mongodb-enterprise-openshift.yaml sample YAML file from the MongoDB Enterprise Kubernetes Operator GitHub repository.
Set the spec.template.spec.containers.name.env.name:WATCH_NAMESPACE in mongodb-enterprise-openshift.yaml to "*". You must include the double quotation marks (") around the asterisk (*) in the YAML file.
```
WATCH_NAMESPACE: "*"
```

Create the corresponding roles for these accounts. In mongodb-enterprise-openshift.yaml, change:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: enterprise-operator

to:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: enterprise-operator

Add the following code to the ClusterRole that you have just modified:

- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
  - watch

In mongodb-enterprise-openshift.yaml, change:

kind:  RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: enterprise-operator
 namespace: mongodb
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: Role
 name: enterprise-operator
subjects:
 - kind: ServiceAccount
 name: enterprise-operator
 namespace: mongodb

to:

kind:  ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: enterprise-operator
 namespace: mongodb
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: enterprise-operator
subjects:
 - kind: ServiceAccount
 name: enterprise-operator
 namespace: mongodb

Create the secret only in the namespace where you will deploy the Kubernetes Operator. If you deploy MongoDB resources in multiple namespaces or with a cluster-wide scope, the Kubernetes Operator synchronizes the secret across all watched namespaces. To learn more, see the registry.imagePullSecrets setting in the Helm installation settings.

In the mongodb-enterprise.yaml file, replace <namespace> with the namespace in which you want to install the Kubernetes Operator. Use oc or the OpenShift Container Platform UI to apply the resulting YAML file.

1 ---
2 kind: ServiceAccount
3 apiVersion: v1
4 metadata:
5   name: mongodb-enterprise-appdb
6   namespace: <namespace>
7 ---
8 kind: ServiceAccount
9 apiVersion: v1
10 metadata:
11   name: mongodb-enterprise-database-pods
12   namespace: <namespace>
13 ---
14 kind: ServiceAccount
15 apiVersion: v1
16 metadata:
17   name: mongodb-enterprise-ops-manager
18   namespace: <namespace>
19 ---
20 kind: Role
21 apiVersion: rbac.authorization.k8s.io/v1
22 metadata:
23   name: mongodb-enterprise-appdb
24   namespace: <namespace>
25 rules:
26   - apiGroups:
27       - ""
28     resources:
29       - secrets
30     verbs:
31       - get
32   - apiGroups:
33       - ""
34     resources:
35       - pods
36     verbs:
37       - patch
38 ---
39 kind: RoleBinding
40 apiVersion: rbac.authorization.k8s.io/v1
41 metadata:
42   name: mongodb-enterprise-appdb
43   namespace: <namespace>
44 roleRef:
45   apiGroup: rbac.authorization.k8s.io
46   kind: Role
47   name: mongodb-enterprise-appdb
48 subjects:
49   - kind: ServiceAccount
50     name: mongodb-enterprise-appdb
51     namespace: <namespace>
52 ...

Create local Kubernetes service accounts:
For each namespace, create some or all of the following local Kubernetes service accounts:
- If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.
- If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.
Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

Before you deploy the Kubernetes Operator, configure the following items:

Configure the Kubernetes Operator to watch all namespaces:

helm install enterprise-operator mongodb/enterprise-operator \
  --set operator.watchNamespace="*" \

1 ---
2 kind: ServiceAccount
3 apiVersion: v1
4 metadata:
5   name: mongodb-enterprise-appdb
6   namespace: <namespace>
7 ---
8 kind: ServiceAccount
9 apiVersion: v1
10 metadata:
11   name: mongodb-enterprise-database-pods
12   namespace: <namespace>
13 ---
14 kind: ServiceAccount
15 apiVersion: v1
16 metadata:
17   name: mongodb-enterprise-ops-manager
18   namespace: <namespace>
19 ---
20 kind: Role
21 apiVersion: rbac.authorization.k8s.io/v1
22 metadata:
23   name: mongodb-enterprise-appdb
24   namespace: <namespace>
25 rules:
26   - apiGroups:
27       - ""
28     resources:
29       - secrets
30     verbs:
31       - get
32   - apiGroups:
33       - ""
34     resources:
35       - pods
36     verbs:
37       - patch
38 ---
39 kind: RoleBinding
40 apiVersion: rbac.authorization.k8s.io/v1
41 metadata:
42   name: mongodb-enterprise-appdb
43   namespace: <namespace>
44 roleRef:
45   apiGroup: rbac.authorization.k8s.io
46   kind: Role
47   name: mongodb-enterprise-appdb
48 subjects:
49   - kind: ServiceAccount
50     name: mongodb-enterprise-appdb
51     namespace: <namespace>
52 ...

Create local Kubernetes service accounts:
For each namespace, create some or all of the following local Kubernetes service accounts:
- If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.
- If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.
Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.
```
helm template mongodb/enterprise-operator \
  --set operator.namespace=<metadata.namespace> \
  --show-only templates/database-roles.yaml | oc apply -f -
```

Next Steps

After setting up the scope for the MongoDB Enterprise Kubernetes Operator, you can:

Back

Single- or Multi-Kubernetes Clusters

Considerations

1	---
2	kind: ServiceAccount
3	apiVersion: v1
4	metadata:
5	name: mongodb-enterprise-appdb
6	namespace: <namespace>
7	---
8	kind: ServiceAccount
9	apiVersion: v1
10	metadata:
11	name: mongodb-enterprise-database-pods
12	namespace: <namespace>
13	---
14	kind: ServiceAccount
15	apiVersion: v1
16	metadata:
17	name: mongodb-enterprise-ops-manager
18	namespace: <namespace>
19	---
20	kind: Role
21	apiVersion: rbac.authorization.k8s.io/v1
22	metadata:
23	name: mongodb-enterprise-appdb
24	namespace: <namespace>
25	rules:
26	- apiGroups:
27	- ""
28	resources:
29	- secrets
30	verbs:
31	- get
32	- apiGroups:
33	- ""
34	resources:
35	- pods
36	verbs:
37	- patch
38	---
39	kind: RoleBinding
40	apiVersion: rbac.authorization.k8s.io/v1
41	metadata:
42	name: mongodb-enterprise-appdb
43	namespace: <namespace>
44	roleRef:
45	apiGroup: rbac.authorization.k8s.io
46	kind: Role
47	name: mongodb-enterprise-appdb
48	subjects:
49	- kind: ServiceAccount
50	name: mongodb-enterprise-appdb
51	namespace: <namespace>
52	...