Docs Menu

AtlasCustomRole Custom Resource

The AtlasCustomRole custom resource defines a custom database role to allocate privileges to your database users.

To create this custom role within a given project, you must either:

  • Reference the AtlasProject Custom Resource name in the AtlasCustomRole custom resource, for projects you manage with Atlas Kubernetes Operator

  • Reference the project ID of your Atlas project in the AtlasCustomRole custom resource, for projects you don't manage with Atlas Kubernetes Operator

Important

Custom Resources No Longer Delete Objects by Default

  • Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an AtlasProject Custom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.

    Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator.

  • Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a READY state. For example, explicitly defining your desired autoscaling behavior in your AtlasDeployment custom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.

    autoScaling:
    diskGB:
    enabled: true
    compute:
    enabled: true
    scaleDownEnabled: true
    minInstanceSize: M30
    maxInstanceSize: M40

Atlas Kubernetes Operator does one of the following actions using the Atlas Custom Database Role API Resource:

  • Creates a new custom database role.

  • Updates an existing custom database role.

The following example shows an AtlasCustomRole custom resource that defines the shard-operator custom role, with privileges for backing up and monitoring sharded clusters within the my-project project.

apiVersion: atlas.mongodb.com/v1
kind: AtlasCustomRole
metadata:
name: shard-operator-role
namespace: mongodb-atlas-system
labels:
mongodb.com/atlas-reconciliation-policy: keep
spec:
projectRef:
name: my-project
namespace: my-operator-namespace
role:
name: my-role
actions:
- name: getShardMap
resources:
cluster: true
- name: shardingState
resources:
cluster: true
- name: connPoolStats
resources:
cluster: true
- name: getLog
resources:
cluster: true
inheritedRoles:
- name: operator-role-1
role: backup

The following example shows an AtlasCustomRole independent CRD that defines the same shard-operator custom role defined in the Basic Example. This custom resource definition allows you to create this role in a project you don't manage in the same instance of Atlas Kubernetes Operator with which you define this resource. To enable independent operation, you must use an externalProjectRef instead of a projectRef, and you must supply a connectionSecret directly since this resource can't inherit API credentials from its parent project.

apiVersion: atlas.mongodb.com/v1
kind: AtlasCustomRole
metadata:
name: shard-operator-role
namespace: mongodb-atlas-system
labels:
mongodb.com/atlas-reconciliation-policy: keep
spec:
externalProjectRef:
id: 671998971c8520583f24f411
connectionSecret:
name: my-atlas-key
role:
name: my-role
actions:
- name: getShardMap
resources:
cluster: true
- name: shardingState
resources:
cluster: true
- name: connPoolStats
resources:
cluster: true
- name: getLog
resources:
cluster: true
inheritedRoles:
- name: operator-role-1
role: backup

This section describes the AtlasTeam custom resource parameters available.

metadata.name

Type: string

Required

Name that the AtlasProject Custom Resource uses to add this team to a project.

metadata.namespace

Type: string

Optional

Namespace other than default that you want to contain the atlasTeam custom resource. If you define a custom namespace, you must add it to the AtlasProject Custom Resource in the spec.teams.teamRef.namespace field.

spec.connectionSecret.name

Type: string

Conditional

Name of the opaque secret that contains the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If unspecified, Atlas Kubernetes Operator falls back to either:

  • The spec.connectionSecretRef.name parameter of the parent atlasProject

  • The default global secret, if spec.connectionSecretRef.name is undefined for the parent atlasProject

This parameter is mandatory for independent CRDs.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.externalProjectRef.id

Type: string

Conditional

ID of the project to which the custom role belongs. You must specify the project ID of an existing Atlas Project. This parameter is required for custom roles that belong to projects managed by either:

  • A different instance of Atlas Kubernetes Operator

  • Tooling other than Atlas Kubernetes Operator

For custom roles that belong to projects managed by the same instance of Atlas Kubernetes Operator, use spec.projectRef.name if you do not use spec.externalProjectRef.id.

A custom role can only belong to one project. To define the same custom role for multiple projects, create custom resource definitions for each project.

spec.projectRef.name

Type: string

Conditional

Name of the project to which the custom role belongs. You must specify an existing AtlasProject Custom Resource. This parameter applies only to custom roles that belong to projects managed by the same instance Atlas Kubernetes Operator.

For custom roles that belong to projects managed by either:

  • a different instance of Atlas Kubernetes Operator

  • tooling other than Atlas Kubernetes Operator

use spec.externalProjectRef.id.

A custom role can only belong to one project. To define the same custom role for multiple projects, create custom resource definitions for each project.

spec.projectRef.namespace

Type: string

Conditional

Namespace in which the AtlasProject Custom Resource specified in spec.projectRef.name exists.

For custom roles that belong to projects managed by either:

  • a different instance of Atlas Kubernetes Operator

  • tooling other than Atlas Kubernetes Operator

do not set this parameter.

spec.role.actions

Type: array

Optional

List of objects that represents the individual privilege actions that the role grants.

spec.role.actions.name

Type: string

Optional

Label that identifies the privilege action. For a complete list of actions available in the Atlas Administration API, see /reference/custom-role-actions.

spec.role.actions.resources

Type: array

Optional

List of objects that indicate a database and collection on which the action is granted, or indicates that the action is granted on the cluster resource.

spec.role.actions.resources.cluster

Type: boolean

Optional

Flag that indicates that the action is granted on the cluster resource.

Note

This parameter is mutually exclusive with the spec.role.actions.resources.collection and spec.role.actions.resources.database parameters.

spec.role.actions.resources.collection

Type: string

Optional

Human-readable label that identifies the collection on which the action is granted. If this value is an empty string, the action is granted on all collections within the database specified in the spec.role.actions.resources.database parameter.

Note

This parameter is mutually exclusive with the spec.role.actions.resources.cluster parameter.

spec.role.actions.resources.database

Type: string

Optional

Human-readable label that indentifies the database on which the action is granted.

Note

This parameter is mutually exclusive with the spec.role.actions.resources.cluster parameter.

spec.role.inheritedRoles

Type: array

Optional

List of objects that represent key-value pairs that indicate the inherited role and the database on which the role is granted.

spec.role.inheritedRoles.database

Type: string

Optional

Human-readable label that identifies the database on which the inherited role is granted.

Note

This value should be admin for all roles except read and readWrite.

spec.role.inheritedRoles.name

Type: string

Optional

Label that uniquely identifies the inherited role. You can specify another custom role or a built-in role.