Docs Menu
Docs Home
/
MongoDB Atlas
/
MongoDB Atlas Kubernetes Operator
/
Custom Resources

AtlasIPAccessList Custom Resource

On this page

  • Examples
  • Basic Example
  • Independent CRD Example
  • Parameters

The AtlasIPAccessList custom resource configures an IP access list for an Atlas project. An IP access list allows you to secure your project using a minimum-access policy.

Important

Custom Resources No Longer Delete Objects by Default

  • Atlas Kubernetes Operator uses custom resource configuration files to manage your Atlas configuration, but as of Atlas Kubernetes Operator 2.0, custom resources you delete in Kubernetes are no longer (by default) deleted in Atlas. Instead, Atlas Kubernetes Operator simply stops managing those resources in Atlas. For example, if you delete an AtlasProject Custom Resource in Kubernetes, by default the Atlas Kubernetes Operator no longer automatically deletes the corresponding project from Atlas. This change in behavior is intended to help prevent accidental or unexpected deletions. To learn more, including how to revert this behavior to the default used prior to Atlas Kubernetes Operator 2.0, see New Default: Deletion Protection in Atlas Kubernetes Operator 2.0.

    Similarly, Atlas Kubernetes Operator does not delete teams from Atlas if you remove them from an Atlas project in Kubernetes with the Atlas Kubernetes Operator.

  • Explicitly define your desired configuration details in order to avoid implicitly using default Atlas configuration values. In some cases, inheriting Atlas defaults may result in a reconciliation loop which can prevent your custom resource from achieving a READY state. For example, explicitly defining your desired autoscaling behavior in your AtlasDeployment custom resource, as shown in the included example, ensures that a static instance size in your custom resource is not being repeatedly applied to an Atlas deployment which has autoscaling enabled.

    autoScaling:
      diskGB:
        enabled: true
      compute:
        enabled: true
        scaleDownEnabled: true
        minInstanceSize: M30
        maxInstanceSize: M40

Atlas Kubernetes Operator does one of the following actions using the Atlas Project IP Access List API Resource:

  • Creates a new IP access list.

  • Replace an existing IP access list.

Examples

Basic Example

The following example shows an AtlasIPAccessList custom resource that permits access to the my-project project from the following sources:

Access from 10.0.0.1 expires after the 31st of March, 2025.

apiVersion: atlas.mongodb.com/v1
kind: AtlasIPAccessList
metadata:
  name: atlasipaccesslist-sample
spec:
  projectRef:
    name: my-project
    namespace: my-operator-namespace
  entries:
    - cidrBlock: 192.168.1.0/24
    - ipAddress: 10.0.0.1
      deleteAfterDate: 2025-03-31T23:59:59+02:00
    - awsSecurityGroup: sg-1234
      comment: "AWS Access to my network peering"

Independent CRD Example

The following example shows an AtlasIPAccessList independent CRD that permits access from the same CIDR block and IP address permitted by the Basic Example. This custom resource definition allows you to create an IP access list in a project you manage outside the instance of Atlas Kubernetes Operator with which you define this resource. To enable independent operation, you must use an externalProjectRef instead of a projectRef, and you must supply a connectionSecret directly since this resource can't inherit API credentials from its parent project.

apiVersion: atlas.mongodb.com/v1
kind: AtlasIPAccessList
metadata:
  name: atlasipaccesslist-sample
spec:
  externalProjectRef:
    projectId: 66e2f2b621571b7e69a89b66
  connectionSecret:
    name: atlas-connection-secret
  entries:
    - cidrBlock: 192.168.1.0/24
    - ipAddress: 10.0.0.1
      deleteAfterDate: 2025-03-31T23:59:59+02:00
    - awsSecurityGroup: sg-1234
      comment: "AWS Access to my network peering"

Parameters

This section describes the AtlasIPAccessList custom resource parameters available.

metadata.name

Type: string

Required

Name that the AtlasIPAccessList Custom Resource uses to add this IP access list to a project.

metadata.namespace

Type: string

Optional

Namespace other than default that you want to contain the atlasIPAccessList custom resource.

spec.connectionSecret.name

Type: string

Conditional

Name of the opaque secret that contains the organization ID and API keys that Atlas Kubernetes Operator uses to connect to Atlas. If unspecified, Atlas Kubernetes Operator defaults to one of the following options:

  • The spec.connectionSecretRef.name parameter of the parent atlasProject

  • The default global secret, if spec.connectionSecretRef.name is undefined for the parent atlasProject

This parameter is required for independent CRDs.

Atlas Kubernetes Operator watches secrets only with the label atlas.mongodb.com/type=credentials to avoid watching unnecessary secrets.

The following example labels a secret:

kubectl label secret the-user-password atlas.mongodb.com/type=credentials
spec.entries

Type: array

Required

Set of connection sources from which to permit access to the project.

spec.entries.[n].awsSecurityGroup

Type: string

Conditional

Unique identifier of the AWS security group from which to grant access to the project.

Each entry in spec.entries must have one and only one of awsSecurityGroup, cidrBlock, or ipAddress.

spec.entries.[n].cidrBlock

Type: string

Conditional

Range of IP addresses in CIDR block notation from which to grant access to the project.

Each entry in spec.entries must have one and only one of awsSecurityGroup, cidrBlock, or ipAddress.

spec.entries.[n].comment

Type: string

Optional

Comment associated with this access list entry.

spec.entries.[n].deleteAfterDate

Type: string

Optional

Date and time after which Atlas deletes the temporary access list entry.

To create a permanent access list entry, omit this parameter.

spec.entries.[n].ipAddress

Type: string

Optional

Single IP address from which to grant access to the project.

Each entry in spec.entries must have one and only one of awsSecurityGroup, cidrBlock, or ipAddress.

spec.externalProjectRef.id

Type: string

Conditional

ID of the project to which the IP access list belongs. You must specify the project ID of an existing Atlas Project. This parameter is required for IP access lists that belong to projects managed by either:

  • A different instance of Atlas Kubernetes Operator

  • Tooling other than Atlas Kubernetes Operator

For deployments that belong to projects managed by the same instance of Atlas Kubernetes Operator, use spec.projectRef.name if you do not use spec.externalProjectRef.id.

An IP access list can belong to only one project. To define the same IP access list for multiple projects, create custom resource definitions for each project.

spec.projectRef.name

Type: string

Conditional

Name of the project to which the IP access list belongs. You must specify an existing AtlasProject Custom Resource. This parameter applies only to IP access lists that belong to projects managed by the same instance Atlas Kubernetes Operator.

For deployments that belong to projects managed by either:

  • a different instance of Atlas Kubernetes Operator

  • tooling other than Atlas Kubernetes Operator

use spec.externalProjectRef.id.

An IP access list can belong only to one project. To define the same IP access list for multiple projects, create custom resource definitions for each project.

spec.projectRef.namespace

Type: string

Conditional

Namespace in which the AtlasProject Custom Resource specified in spec.projectRef.name exists.

Do not set this parameter for deployments that belong to projects managed by either:

  • a different instance of Atlas Kubernetes Operator

  • tooling other than Atlas Kubernetes Operator

Back

AtlasBackupCompliancePolicy

Next

AtlasPrivateEndpoint