Docs Menu
Docs Home
/
MongoDB Enterprise Kubernetes Operator
/ /

Set Scope for MongoDB Enterprise Kubernetes Operator Deployment

On this page

  • Kubernetes Operator Deployment Scopes
  • Next Steps

Before you install the Kubernetes Operator, you can set the scope of the Kubernetes Operator deployment. The scopes depend on the namespaces in which you choose to deploy Ops Manager and MongoDB resources.

You can set one of these scopes:

  • Operator Uses the Same Single Namespace as Resources (Default)

  • Operator Uses a Subset of Namespaces

  • Operator Uses Cluster-Wide Scope

You can set the scope for the Kubernetes Operator to use the same namespace as resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB resources in that same namespace.

When you install the Kubernetes Operator, it uses the default namespace.

You can set the scope for the Kubernetes Operator to use one or more namespaces that differ from the namespace used by the Kubernetes Operator resources. In this case, the Kubernetes Operator watches Ops Manager and MongoDB resources in a subset of namespaces that you specify.

To install the Kubernetes Operator instances with this scope, use helm with the operator.watchNamespace parameter.

Watching a subset of namespaces is useful in deployments where a single Kubernetes Operator instance watches a different cluster resource type. For example, you can configure the Kubernetes Operator to watch MongoDB resources in one subset of namespaces, and to watch MongoDBMultiCluster resources in another subset of namespaces. To avoid race conditions during resource reconciliation, for each custom resource type that you want the Kubernetes Operator to watch, ensure that you set scope to a distinct subset of namespaces.

Follow the relevant installation instructions for helm, but specify one or more namespaces in the operator.watchNamespace parameter for the Kubernetes Operator to watch:

# Watch one namespace
helm install enterprise-operator mongodb/enterprise-operator \
--set operator.watchNamespace='namespace-to-watch' <...>
# Watch both namespace-a and namespace-b
helm install enterprise-operator mongodb/enterprise-operator \
--set operator.watchNamespace="namespace-a\,namespace-b"
# Operator with name `mongodb-enterprise-operator-qa-envs` will
# watch ns-dev, ns-qa and ns-uat namespaces
helm install mongodb-enterprise-operator-qa-envs mongodb/enterprise-operator \
--set operator.watchNamespace="ns-dev\,ns-qa\,ns-uat"
# Operator with name `mongodb-enterprise-operator-staging` will
# watch ns-staging and ns-pre-prod
helm install mongodb-operator helm-chart --set operator.watchNamespace="ns-staging\,ns-pre-prod" mongodb-enterprise-operator-staging

When installing the Kubernetes Operator to watch resources in one or more namespaces other than the namespace in which the Kubernetes Operator is deployed:

  1. Create the following resources:

    • A ClusterRole with access to multiple resources. For the full resource definition, see the operator-roles.yaml example. This is a cluster-scoped resource.

    • Create a ClusterRoleBinding to link ClusterRole with ServiceAccount. This clusterRoleBinding will bind the clusterRole that you created with the ServiceAccount that the Kubernetes Operator is using on the namespace where you install it.

  2. Include the ClusterRole and ClusterRoleBinding in the default configuration files that you apply during the installation.

  3. Create local Kubernetes ServiceAccounts:

    For each namespace, create some or all of the following local Kubernetes ServiceAccounts:

    • If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.

    • If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

The following example illustrates how the ClusterRole and ClusterRoleBinding work together in the cluster.

Suppose you create a ServiceAccount in the mongodb namespace, and then install the Kubernetes Operator in this namespace. The Kubernetes Operator uses this ServiceAccount.

To set the Kubernetes Operator scope to watch namespaces ns1 and ns2:

  1. Obtain cluster-admin privileges.

  2. Using these privileges, create a cluster-wide, non-namespaced ClusterRole.

  3. Create a ClusterRoleBinding in three namespaces: mongodb, ns1 and ns2. This ClusterRoleBinding will bind the ClusterRole to the ServiceAccount in the mongodb namespace. The clusterRoleBinding will allow the Kubernetes Operator deployed in the mongodb namespace to access the resources described in the clusterRole of the target namespace, that is, in mongodb, ns1 and ns2.

See also operator.watchNamespace.

You can set the scope for the Kubernetes Operator to the Kubernetes cluster. In this case, the Kubernetes Operator watches Ops Manager and MongoDB resources in all namespaces in the Kubernetes cluster.

Important

You can deploy only one instance of the Kubernetes Operator with a cluster-wide scope per Kubernetes cluster.

To set a cluster-wide scope for the Kubernetes Operator, follow the instructions for your preferred installation method.

  1. Use the mongodb-enterprise.yaml sample YAML file from the MongoDB Enterprise Kubernetes Operator GitHub repository.

  2. Set the spec.template.spec.containers.name.env.name:WATCH_NAMESPACE in mongodb-enterprise.yaml to "*". You must include the double quotation marks (") around the asterisk (*) in the YAML file.

    WATCH_NAMESPACE: "*"
  3. In mongodb-enterprise.yaml, change:

    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: mongodb-enterprise-operator

    to:

    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: mongodb-enterprise-operator
  4. Add the following code to the ClusterRole that you have just modified:

    - apiGroups:
    - ""
    resources:
    - namespaces
    verbs:
    - list
    - watch
  5. In mongodb-enterprise.yaml, change:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: mongodb-enterprise-operator
    namespace: mongodb
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: mongodb-enterprise-operator
    subjects:
    - kind: ServiceAccount
    name: mongodb-enterprise-operator
    namespace: mongodb

    to:

    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: mongodb-enterprise-operator
    namespace: mongodb
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: mongodb-enterprise-operator
    subjects:
    - kind: ServiceAccount
    name: mongodb-enterprise-operator
    namespace: mongodb
  6. In the mongodb-enterprise.yaml file, change the <namespace> value to the namespace where you want the Kubernetes Operator to deploy resources and apply the YAML fle.

    1---
    2kind: ServiceAccount
    3apiVersion: v1
    4metadata:
    5 name: mongodb-enterprise-appdb
    6 namespace: <namespace>
    7---
    8kind: ServiceAccount
    9apiVersion: v1
    10metadata:
    11 name: mongodb-enterprise-database-pods
    12 namespace: <namespace>
    13---
    14kind: ServiceAccount
    15apiVersion: v1
    16metadata:
    17 name: mongodb-enterprise-ops-manager
    18 namespace: <namespace>
    19---
    20kind: Role
    21apiVersion: rbac.authorization.k8s.io/v1
    22metadata:
    23 name: mongodb-enterprise-appdb
    24 namespace: <namespace>
    25rules:
    26 - apiGroups:
    27 - ""
    28 resources:
    29 - secrets
    30 verbs:
    31 - get
    32 - apiGroups:
    33 - ""
    34 resources:
    35 - pods
    36 verbs:
    37 - patch
    38---
    39kind: RoleBinding
    40apiVersion: rbac.authorization.k8s.io/v1
    41metadata:
    42 name: mongodb-enterprise-appdb
    43 namespace: <namespace>
    44roleRef:
    45 apiGroup: rbac.authorization.k8s.io
    46 kind: Role
    47 name: mongodb-enterprise-appdb
    48subjects:
    49 - kind: ServiceAccount
    50 name: mongodb-enterprise-appdb
    51 namespace: <namespace>
    52...
  7. Create local Kubernetes service accounts:

    For each namespace, create some or all of the following local Kubernetes service accounts:

    • If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.

    • If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

    Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

    ---
    kind: ServiceAccount
    apiVersion: v1
    metadata:
    name: mongodb-enterprise-database-pods
    namespace: <namespace>
    ---
    kind: ServiceAccount
    apiVersion: v1
    metadata:
    name: mongodb-enterprise-appdb
    namespace: <namespace>
    ---
    kind: ServiceAccount
    apiVersion: v1
    metadata:
    name: mongodb-enterprise-ops-manager
    namespace: <namespace>

Before you deploy the Kubernetes Operator, configure the following items:

  1. Configure the Kubernetes Operator to watch all namespaces:

    helm install enterprise-operator mongodb/enterprise-operator \
    --set operator.watchNamespace="*"
  2. Create local Kubernetes service accounts:

    For each namespace, create some or all of the following local Kubernetes service accounts:

    • If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.

    • If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

    Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

    helm template mongodb/enterprise-operator \
    --set operator.namespace=<metadata.namespace> \
    --show-only templates/database-roles.yaml | kubectl apply -f -

Before you deploy the Kubernetes Operator, configure the following items:

  1. Use the mongodb-enterprise-openshift.yaml sample YAML file from the MongoDB Enterprise Kubernetes Operator GitHub repository.

  2. Set the spec.template.spec.containers.name.env.name:WATCH_NAMESPACE in mongodb-enterprise-openshift.yaml to "*". You must include the double quotation marks (") around the asterisk (*) in the YAML file.

    WATCH_NAMESPACE: "*"
  3. Create the corresponding roles for these accounts. In mongodb-enterprise-openshift.yaml, change:

    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: enterprise-operator

    to:

    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: enterprise-operator
  4. Add the following code to the ClusterRole that you have just modified:

    - apiGroups:
    - ""
    resources:
    - namespaces
    verbs:
    - list
    - watch
  5. In mongodb-enterprise-openshift.yaml, change:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: enterprise-operator
    namespace: mongodb
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: enterprise-operator
    subjects:
    - kind: ServiceAccount
    name: enterprise-operator
    namespace: mongodb

    to:

    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: enterprise-operator
    namespace: mongodb
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: enterprise-operator
    subjects:
    - kind: ServiceAccount
    name: enterprise-operator
    namespace: mongodb
  6. Create the secret only in the namespace where you will deploy the Kubernetes Operator. If you deploy MongoDB resources in multiple namespaces or with a cluster-wide scope, the Kubernetes Operator synchronizes the secret across all watched namespaces. To learn more, see the registry.imagePullSecrets setting in the Helm installation settings.

    In the mongodb-enterprise.yaml file, replace <namespace> with the namespace in which you want to install the Kubernetes Operator. Use oc or the OpenShift Container Platform UI to apply the resulting YAML file.

    1---
    2kind: ServiceAccount
    3apiVersion: v1
    4metadata:
    5 name: mongodb-enterprise-appdb
    6 namespace: <namespace>
    7---
    8kind: ServiceAccount
    9apiVersion: v1
    10metadata:
    11 name: mongodb-enterprise-database-pods
    12 namespace: <namespace>
    13---
    14kind: ServiceAccount
    15apiVersion: v1
    16metadata:
    17 name: mongodb-enterprise-ops-manager
    18 namespace: <namespace>
    19---
    20kind: Role
    21apiVersion: rbac.authorization.k8s.io/v1
    22metadata:
    23 name: mongodb-enterprise-appdb
    24 namespace: <namespace>
    25rules:
    26 - apiGroups:
    27 - ""
    28 resources:
    29 - secrets
    30 verbs:
    31 - get
    32 - apiGroups:
    33 - ""
    34 resources:
    35 - pods
    36 verbs:
    37 - patch
    38---
    39kind: RoleBinding
    40apiVersion: rbac.authorization.k8s.io/v1
    41metadata:
    42 name: mongodb-enterprise-appdb
    43 namespace: <namespace>
    44roleRef:
    45 apiGroup: rbac.authorization.k8s.io
    46 kind: Role
    47 name: mongodb-enterprise-appdb
    48subjects:
    49 - kind: ServiceAccount
    50 name: mongodb-enterprise-appdb
    51 namespace: <namespace>
    52...
  7. Create local Kubernetes service accounts:

    For each namespace, create some or all of the following local Kubernetes service accounts:

    • If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.

    • If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

    Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

Before you deploy the Kubernetes Operator, configure the following items:

  1. Configure the Kubernetes Operator to watch all namespaces:

    helm install enterprise-operator mongodb/enterprise-operator \
    --set operator.watchNamespace="*" \
  2. Create the secret only in the namespace where you will deploy the Kubernetes Operator. If you deploy MongoDB resources in multiple namespaces or with a cluster-wide scope, the Kubernetes Operator synchronizes the secret across all watched namespaces. To learn more, see the registry.imagePullSecrets setting in the Helm installation settings.

    In the mongodb-enterprise.yaml file, replace <namespace> with the namespace in which you want to install the Kubernetes Operator. Use oc or the OpenShift Container Platform UI to apply the resulting YAML file.

    1---
    2kind: ServiceAccount
    3apiVersion: v1
    4metadata:
    5 name: mongodb-enterprise-appdb
    6 namespace: <namespace>
    7---
    8kind: ServiceAccount
    9apiVersion: v1
    10metadata:
    11 name: mongodb-enterprise-database-pods
    12 namespace: <namespace>
    13---
    14kind: ServiceAccount
    15apiVersion: v1
    16metadata:
    17 name: mongodb-enterprise-ops-manager
    18 namespace: <namespace>
    19---
    20kind: Role
    21apiVersion: rbac.authorization.k8s.io/v1
    22metadata:
    23 name: mongodb-enterprise-appdb
    24 namespace: <namespace>
    25rules:
    26 - apiGroups:
    27 - ""
    28 resources:
    29 - secrets
    30 verbs:
    31 - get
    32 - apiGroups:
    33 - ""
    34 resources:
    35 - pods
    36 verbs:
    37 - patch
    38---
    39kind: RoleBinding
    40apiVersion: rbac.authorization.k8s.io/v1
    41metadata:
    42 name: mongodb-enterprise-appdb
    43 namespace: <namespace>
    44roleRef:
    45 apiGroup: rbac.authorization.k8s.io
    46 kind: Role
    47 name: mongodb-enterprise-appdb
    48subjects:
    49 - kind: ServiceAccount
    50 name: mongodb-enterprise-appdb
    51 namespace: <namespace>
    52...
  3. Create local Kubernetes service accounts:

    For each namespace, create some or all of the following local Kubernetes service accounts:

    • If you want to deploy a MongoDB instance in the namespace, use mongodb-enterprise-database-pods.

    • If you want to deploy Ops Manager in the namespace, use mongodb-enterprise-appdb and mongodb-enterprise-ops-manager.

    Copy and paste the applicable examples and replace the <namespace> value with the label that identifies the namespace.

    helm template mongodb/enterprise-operator \
    --set operator.namespace=<metadata.namespace> \
    --show-only templates/database-roles.yaml | oc apply -f -

After setting up the scope for the MongoDB Enterprise Kubernetes Operator, you can: