# Install Aerospike Kubernetes Operator on Red Hat OpenShift Aerospike Kubernetes Operator (AKO) is a RedHat Marketplace certified operator. It is available through the RedHat certified operators catalog. ## Install AKO You can install AKO on your OpenShift cluster using any of the following methods: - [Web Console](#tab-panel-1001) - [Command Line](#tab-panel-1002) This is the procedure to install AKO on Red Hat OpenShift using the web console. 1. Launch the OpenShift web console. 2. Using the `Administrator` view, navigate to `Operators` > `OperatorHub`. 3. Search for `Aerospike`. 4. Select the `Marketplace` version of the Aerospike Kubernetes Operator as shown in the following image. ![Select the marketplace version.](https://aerospike.com/docs/_astro/rhmp-ako-search.BRvy7kOr_Z1scVbu.png) 5. A dialog appears describing AKO as shown in the following image. Click `Install` to install AKO. ![Click Install.](https://aerospike.com/docs/_astro/rhmp-ako-install.DnZf-wh2_2jUhTz.png) 6. Configure AKO installation using the following image as an example. ![Configuration settings.](https://aerospike.com/docs/_astro/rhmp-ako-install-configure.B6TgEEA2_ZtygHR.png) 7. Select `openshift-operators` as the namespace. 8. Select `Automatic` for `Upgrade Approval` to automatically upgrade AKO whenever upgrades are available. After a successful installation, a message similar to the following appears. ![A complete installation.](https://aerospike.com/docs/_astro/rhmp-ako-install-complete.CeQkHIk9_Z1szBkA.png) 9. Select `View Operator` to verify the AKO details. The details should be similar to the following example: ![AKO details.](https://aerospike.com/docs/_astro/rhmp-ako-details.Cm06BCaX_ZwasnI.png) 10. From a terminal, log in to the OpenShift cluster and ensure that the `oc` and `kubectl` commands connect to the correct OpenShift cluster. This is the procedure to install AKO on Red Hat OpenShift using the command line tools. 1. From a terminal, log in to the OpenShift cluster and ensure that the `oc` and `kubectl` commands connect to the correct OpenShift cluster. ::: tip The following instructions also work with the [OpenShift command line tool `oc`](https://docs.openshift.com/container-platform/4.15/welcome/index.html) ::: 2. Ensure the AKO package is visible by running the following command. Terminal window ```bash kubectl get packagemanifests aerospike-kubernetes-operator-rhmp -n openshift-marketplace ``` Output Terminal window ```bash NAME CATALOG AGE aerospike-kubernetes-operator-rhmp Red Hat Marketplace 22d ``` 3. Create a subscription file `aerospike-kubernetes-operator.yaml` with the following contents: ```yaml apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: aerospike-kubernetes-operator-rhmp namespace: openshift-operators spec: channel: stable installPlanApproval: Automatic #Automatically upgrades AKO whenever upgrades are available name: aerospike-kubernetes-operator-rhmp source: redhat-marketplace sourceNamespace: openshift-marketplace startingCSV: aerospike-kubernetes-operator-rhmp.v{{version}} ``` 4. Create this subscription using the following command: Terminal window ```bash kubectl apply -f aerospike-kubernetes-operator.yaml ``` 5. Wait about 20 seconds for the install process to begin. 6. Verify that AKO’s CSV is in the `Succeeded` phase with the following command: Terminal window ```bash kubectl get csv -n openshift-operators aerospike-kubernetes-operator-rhmp.v4.1.2 ``` Output Wait for the “PHASE” status to change from `Installing` to `Succeeded`: Terminal window ```bash NAME DISPLAY VERSION REPLACES PHASE aerospike-kubernetes-operator.v4.1.2 Aerospike Kubernetes Operator 4.1.2 aerospike-kubernetes-operator.v4.0.2 Installing aerospike-kubernetes-operator.v4.1.2 Aerospike Kubernetes Operator 4.1.2 aerospike-kubernetes-operator.v4.0.2 Succeeded ``` ## Check AKO logs AKO runs as two replicas by default for higher availability. Run the following command to follow the logs for the AKO pods. ```plaintext kubectl -n openshift-operators logs -f deployments/aerospike-operator-controller-manager manager ``` Sample output: Terminal window ```shell 2025-08-06T08:42:37Z INFO setup Initializing webhook certificate watcher using provided certificates {"webhook-cert-path": "/tmp/k8s-webhook-server/serving-certs", "webhook-cert-name": "tls.crt", "webhook-cert-key": "tls.key"} 2025-08-06T08:42:37Z INFO controller-runtime.certwatcher Updated current TLS certificate 2025-08-06T08:42:37Z INFO setup Init aerospike-server config schemas 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "6.0.0"} 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "6.3.0"} 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "7.1.0"} 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "8.0.0"} 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "8.1.0"} 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "6.1.0"} 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "6.2.0"} 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "6.4.0"} 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "7.0.0"} 2025-08-06T08:42:37Z DEBUG setup Config schema added {"version": "7.2.0"} 2025-08-06T08:42:37Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"} 2025-08-06T08:42:37Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"} 2025-08-06T08:42:37Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/validate-asdb-aerospike-com-v1-aerospikecluster"} 2025-08-06T08:42:37Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1-aerospikecluster"} 2025-08-06T08:42:37Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2025-08-06T08:42:37Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2025-08-06T08:42:37Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2025-08-06T08:42:37Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2025-08-06T08:42:37Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2025-08-06T08:42:37Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2025-08-06T08:42:37Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2025-08-06T08:42:37Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2025-08-06T08:42:37Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2025-08-06T08:42:37Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2025-08-06T08:42:37Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2025-08-06T08:42:37Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2025-08-06T08:42:37Z INFO setup Adding webhook certificate watcher to manager 2025-08-06T08:42:37Z INFO setup Starting manager 2025-08-06T08:42:37Z INFO controller-runtime.metrics Starting metrics server 2025-08-06T08:42:37Z INFO starting server {"name": "health probe", "addr": "[::]:8081"} 2025-08-06T08:42:37Z INFO setup disabling http/2 2025-08-06T08:42:37Z INFO controller-runtime.webhook Starting webhook server 2025-08-06T08:42:37Z INFO setup disabling http/2 2025-08-06T08:42:37Z INFO controller-runtime.webhook Serving webhook server {"host": "", "port": 9443} ``` ## Grant permissions to the target namespaces AKO is installed in the `openshift-operators` namespace. Grant additional permissions by configuring ServiceAccounts and RoleBindings or ClusterRoleBindings for the target Kubernetes namespace where the Aerospike clusters are created. You can use the `kubectl` or `akoctl` tools to grant permissions for the `aerospike` namespace. - [kubectl](#tab-panel-1003) - [akoctl](#tab-panel-1004) 1. Create the Kubernetes namespace if it doesn’t already exist. ```plaintext kubectl create namespace aerospike ``` 2. Create a service account. ```plaintext kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager ``` 3. Create a RoleBinding or ClusterRoleBinding to attach this service account to the `aerospike-cluster` ClusterRole. This ClusterRole is created as part of AKO installation and grants Aerospike cluster permissions to the service account. - For using the Kubernetes native pod-only network to connect to the Aerospike cluster: 1. Create a RoleBinding with the following command: ```plaintext kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` - For connecting to the Aerospike cluster from outside Kubernetes: 1. Create a ClusterRoleBinding with the following command: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` Add multiple `--serviceaccount` parameters to the previous command to attach multiple service accounts of different namespaces at one time. Example: To attach service accounts of the aerospike and aerospike1 namespaces: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager ``` 2. If the required ClusterRoleBinding already exists in the cluster, edit it to attach a new service account. ```plaintext kubectl edit clusterrolebinding aerospike-cluster ``` 3. The `kubectl edit` command launches an editor. Append the following lines to the `subjects` section: ```plaintext kind: ServiceAccount name: aerospike-operator-controller-manager namespace: aerospike ``` 4. Save and ensure that the changes are applied. For instructions on installing the `akoctl` plugin, see [akoctl installation](https://aerospike.com/docs/kubernetes/manage/akoctl/#install-akoctl-with-krew-plugin-manager). - For using the Kubernetes native pod-only network to connect to the Aerospike cluster, grant namespace scope permissions: ```plaintext kubectl akoctl auth create -n aerospike --cluster-scope=false ``` - For connecting to the Aerospike cluster from outside Kubernetes, grant cluster scope permissions: ```plaintext kubectl akoctl auth create -n aerospike ``` To grant permissions for multiple namespaces at the same time, specify a comma-separated namespace list with the `-n` flag. ```plaintext kubectl akoctl auth create -n aerospike,aerospike1 ``` ## OpenShift Security Context Constraints (SCC) On OpenShift clusters, administrators can use security context constraints (SCCs) to control permissions for pods. These permissions control which actions a pod can perform and which resources it can access. You can use SCCs to define a set of conditions that a pod must run with in order to be accepted into the system. In order to run Aerospike Database Enterprise Edition clusters on OpenShift, the Aerospike pods need to be granted access to some of the cluster SCCs. The following SCCs are commonly used in most Aerospike deployments. See the [OpenShift SCC Guide](https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html) for additional details. #### SCC `anyuid` (required) Aerospike Database Enterprise Edition images are designed to run as some non-root (any) UID. On OpenShift, this requires Aerospike pods to be allowed to run with any UID, requiring the `anyuid` SCC. Grant this SCC to the Aerospike cluster service account for the `aerospike` namespace using the following command: ```plaintext oc adm policy add-scc-to-user anyuid system:serviceaccount:aerospike:aerospike-operator-controller-manager ``` #### SCC `hostnetwork` (optional) This SCC allows using host networking and host ports. Grant this SCC to the Aerospike cluster service account for the `aerospike` namespace using the following command: ```plaintext oc adm policy add-scc-to-user hostnetwork system:serviceaccount:aerospike:aerospike-operator-controller-manager ``` #### SCC `privileged` (optional) This SCC allows access to all privileged and host features and the ability to run as any user, any group, any FSGroup, and with any SELinux context. This is required to run `Index on Flash` storage configuration with Aerospike primary index stored on SSD devices. Grant this SCC to the Aerospike cluster service account for the `aerospike` namespace using the following command: ```plaintext oc adm policy add-scc-to-user privileged system:serviceaccount:aerospike:aerospike-operator-controller-manager ``` ## Next steps AKO is now installed and watching the namespaces you configured. - To deploy your first Aerospike cluster, continue to [Create an Aerospike cluster on Kubernetes](https://aerospike.com/docs/kubernetes/4.1.x/install/deploy/kubectl). - For a step‑by‑step tutorial including AKO and a sample cluster on GKE or EKS, see [Get started with AKO in the cloud](https://aerospike.com/docs/kubernetes/4.1.x/learn/get-started-cloud/).