Docs Menu
Docs Home
/
MongoDB Enterprise Kubernetes Operator
/

Verify Permissions

On this page

  • Default Permissions for Kubernetes Operator Objects

Objects in the Kubernetes Operator configuration use default permissions. These are the minimum permissions for the Kubernetes Operator to deploy and manage Ops Manager and MongoDB resources in a Kubernetes cluster.

Use the following chart to verify that the objects in your Kubernetes Operator configuration have access to the required Kubernetes API verbs:

Kubernetes Resources
API Verbs
Configmaps

Require the following permissions:

  • get, list, watch. The Kubernetes Operator reads the organization and project data from the specified configmap.

  • create, update. The Kubernetes Operator creates and updates configmap objects for configuring the Application Database instances.

  • delete. The Kubernetes Operator needs the delete configmap permission to support its older versions. This permission will be deleted when older versions reach their End of Life Date.

Secrets

Require the following permissions:

  • get, list, watch. The Kubernetes Operator reads secret objects to retrieve sensitive data, such as TLS or X.509 access information. For example, it reads the credentials from a secret object to connect to the Ops Manager.

  • create, update. The Kubernetes Operator creates secret objects holding TLS or X.509 access information.

  • delete. The Kubernetes Operator deletes secret objects (containing passwords) related to the Application Database.

Services

Require the following permissions:

  • get, list, watch. The Kubernetes Operator reads and watches MongoDB services. For example, to communicate with the Ops Manager service, the Kubernetes Operator needs get, list and watch permissions to use the Ops Manager service's URL.

  • create, update. To communicate with services, the Kubernetes Operator creates and updates service objects corresponding to Ops Manager and MongoDB custom resources.

StatefulSets

Require the following permissions:

  • get, list, watch. The Kubernetes Operator reacts to the changes in the StatefulSets it creates for the MongoDB custom resources. It also reads the fields of the StatefulSets it manages.

  • create, update. The Kubernetes Operator creates and updates StatefulSets corresponding to the mongoDB custom resources.

  • delete. The Kubernetes Operator needs permissions to delete the StatefulSets when you delete the MongoDB custom resource.

Pods

Require the following permissions:

  • get, list, watch. The Kubernetes Operator queries the Application Database Pods to get information about its state.

Namespaces

Require the following permissions:

  • list, watch. When you run the Kubernetes Operator in the cluster-wide mode, it needs list and watch permissions to all namespaces for the MongoDB custom resources.

Back

Security

Next

Apply OPA Gatekeeper Policies