--- title: "Install Aerospike Kubernetes Operator on OLM through OperatorHub" description: "Install Aerospike Kubernetes Operator via OLM and OperatorHub, including log verification and permission setup." --- # Install Aerospike Kubernetes Operator on OLM through OperatorHub > For the complete documentation index see: [llms.txt](https://aerospike.com/docs/llms.txt) > > All documentation pages available in markdown. ::: note In Kubernetes 1.23 and later, Pod Security Admission (PSA) is enabled by default. Make sure the namespace where the Aerospike Operator is installed has either `baseline` or `privileged` Pod Security Standard level set. The `restricted` level is not supported by Aerospike. The default Pod Security Standard level in Kubernetes 1.23 is `privileged`. For more details, see [Apply Pod Security Standards](https://kubernetes.io/docs/tutorials/security/ns-level-pss/). ::: ## Requirements - [kubectl](https://kubernetes.io/docs/tasks/tools/) - A running Kubernetes cluster. - Install [minikube](https://minikube.sigs.k8s.io/docs/start/?arch=%2Fmacos%2Farm64%2Fstable%2Fhomebrew) to create a local cluster. - See the [Kubernetes documentation](https://kubernetes.io/docs/setup/) to explore other options. ## Install AKO 1. Install the Operator Lifecycle Manager (OLM) on your Kubernetes cluster. Terminal window ```bash curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.31.0/install.sh | bash -s v0.31.0 ``` 2. Use `kubectl` to install AKO on your Kubernetes cluster using the YAML configuration file hosted on OperatorHub. Terminal window ```bash kubectl create -f https://operatorhub.io/install/aerospike-kubernetes-operator.yaml ``` 3. Verify that AKO’s Cluster Service Version (CSV) is in the `Succeeded` phase. Terminal window ```bash kubectl get csv -n operators aerospike-kubernetes-operator.v4.0.2 -w ``` Output You should see output similar to the following: Terminal window ```bash NAME DISPLAY VERSION REPLACES PHASE aerospike-kubernetes-operator.v4.0.2 Aerospike Kubernetes Operator 4.0.2 Succeeded ``` ### Check AKO logs AKO runs as two replicas by default for higher availability. Run the following command to follow the logs for the AKO pods. ```plaintext kubectl -n operators logs -f deployments/aerospike-operator-controller-manager manager ``` Sample output: Terminal window ```shell 2025-02-04T07:59:36Z INFO setup Initializing webhook certificate watcher using provided certificates {"webhook-cert-path": "/tmp/k8s-webhook-server/serving-certs", "webhook-cert-name": "tls.crt", "webhook-cert-key": "tls.key"} 2025-02-04T07:59:36Z INFO controller-runtime.certwatcher Updated current TLS certificate 2025-02-04T07:59:36Z INFO setup Init aerospike-server config schemas 2025-02-04T07:59:36Z DEBUG setup Config schema added {"version": "6.3.0"} 2025-02-04T07:59:36Z DEBUG setup Config schema added {"version": "6.4.0"} 2025-02-04T07:59:36Z DEBUG setup Config schema added {"version": "7.0.0"} 2025-02-04T07:59:36Z DEBUG setup Config schema added {"version": "7.1.0"} 2025-02-04T07:59:36Z DEBUG setup Config schema added {"version": "7.2.0"} 2025-02-04T07:59:36Z DEBUG setup Config schema added {"version": "6.0.0"} 2025-02-04T07:59:36Z DEBUG setup Config schema added {"version": "6.1.0"} 2025-02-04T07:59:36Z DEBUG setup Config schema added {"version": "6.2.0"} 2025-02-04T07:59:36Z DEBUG setup Config schema added {"version": "8.0.0"} 2025-02-04T07:59:36Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"} 2025-02-04T07:59:36Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"} 2025-02-04T07:59:36Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/validate-asdb-aerospike-com-v1-aerospikecluster"} 2025-02-04T07:59:36Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1-aerospikecluster"} 2025-02-04T07:59:36Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2025-02-04T07:59:36Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2025-02-04T07:59:36Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2025-02-04T07:59:36Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2025-02-04T07:59:36Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2025-02-04T07:59:36Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2025-02-04T07:59:36Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2025-02-04T07:59:36Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2025-02-04T07:59:36Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2025-02-04T07:59:36Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2025-02-04T07:59:36Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2025-02-04T07:59:36Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2025-02-04T07:59:36Z INFO setup Adding webhook certificate watcher to manager 2025-02-04T07:59:36Z INFO setup Starting manager 2025-02-04T07:59:36Z INFO controller-runtime.metrics Starting metrics server 2025-02-04T07:59:36Z INFO setup disabling http/2 2025-02-04T07:59:36Z INFO starting server {"name": "health probe", "addr": "[::]:8081"} 2025-02-04T07:59:36Z INFO controller-runtime.webhook Starting webhook server 2025-02-04T07:59:36Z INFO setup disabling http/2 2025-02-04T07:59:36Z INFO controller-runtime.webhook Serving webhook server {"host": "", "port": 9443} ``` ### Grant permissions to the target namespaces Grant additional permissions by configuring ServiceAccounts and RoleBindings/ClusterRoleBindings for the target Kubernetes namespace where the Aerospike clusters are created. AKO is installed in the `operators` namespace on an OLM installation. You can use the `kubectl` or `akoctl` tools to grant permissions for the `aerospike` namespace. - [kubectl](#tab-panel-3382) - [akoctl](#tab-panel-3383) 1. Create the Kubernetes namespace if it doesn’t already exist. ```plaintext kubectl create namespace aerospike ``` 2. Create a service account. ```plaintext kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager ``` 3. Create a RoleBinding or ClusterRoleBinding to attach this service account to the `aerospike-cluster` ClusterRole. This ClusterRole is created as part of AKO installation and grants Aerospike cluster permissions to the service account. - For using the Kubernetes native pod-only network to connect to the Aerospike cluster: 1. Create a RoleBinding with the following command: ```plaintext kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` - For connecting to the Aerospike cluster from outside Kubernetes: 1. Create a ClusterRoleBinding with the following command: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` Add multiple `--serviceaccount` parameters to the previous command to attach multiple service accounts of different namespaces at one time. Example: To attach service accounts of the aerospike and aerospike1 namespaces: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager ``` 2. If the required ClusterRoleBinding already exists in the cluster, edit it to attach a new service account. ```plaintext kubectl edit clusterrolebinding aerospike-cluster ``` 3. The `kubectl edit` command launches an editor. Append the following lines to the `subjects` section: ```plaintext kind: ServiceAccount name: aerospike-operator-controller-manager namespace: aerospike ``` 4. Save and ensure that the changes are applied. For instructions on installing the `akoctl` plugin, see [akoctl installation](https://aerospike.com/docs/kubernetes/manage/akoctl/#install-akoctl-with-krew-plugin-manager). - For using the Kubernetes native pod-only network to connect to the Aerospike cluster, grant namespace scope permissions: ```plaintext kubectl akoctl auth create -n aerospike --cluster-scope=false ``` - For connecting to the Aerospike cluster from outside Kubernetes, grant cluster scope permissions: ```plaintext kubectl akoctl auth create -n aerospike ``` To grant permissions for multiple namespaces at the same time, specify a comma-separated namespace list with the `-n` flag. ```plaintext kubectl akoctl auth create -n aerospike,aerospike1 ```