# Install Aerospike Kubernetes Operator using Helm This page describes how to use Helm charts to install the Aerospike Kubernetes Operator (AKO). Helm charts are groups of YAML files that describe Kubernetes resources and their current configurations. If you plan to use Helm charts to deploy Aerospike clusters, you also need to use Helm to install the AKO on your Kubernetes deployment. ## Prerequisites - [kubectl](https://kubernetes.io/docs/tasks/tools/) - A running Kubernetes cluster. - For a quick start, install [minikube](https://minikube.sigs.k8s.io/docs/start/?arch=%2Fmacos%2Farm64%2Fstable%2Fhomebrew) to create a local cluster. - See the [Kubernetes documentation](https://kubernetes.io/docs/setup/) to explore other options. - [cert-manager](https://cert-manager.io/docs/installation/). AKO uses admission webhooks, which need TLS certificates issued by `cert-manager`. - [Helm](https://helm.sh/docs/intro/install/) In Kubernetes 1.23 and later, Pod Security Admission (PSA) is enabled by default. Make sure the namespace where the AKO is installed has either `baseline` or `privileged` Pod Security Standard level set. The `restricted` level is not supported by Aerospike. The default Pod Security Standard level in Kubernetes 1.23 is `privileged`. For more details, see [Apply Pod Security Standards](https://kubernetes.io/docs/tutorials/security/ns-level-pss/). ## Install AKO 1. Add the Helm repository to get the AKO Helm charts. If you already have a Helm repo named `aerospike`, choose a different name. Terminal window ```bash helm repo add aerospike https://aerospike.github.io/aerospike-kubernetes-enterprise helm repo update ``` This URL is a Helm chart repository. Helm reads the `index.yaml` at this location internally. If you open it in a browser you may see a 404. Go to `https://aerospike.github.io/aerospike-kubernetes-enterprise/index.yaml` to inspect the YAML manually. 2. Install AKO on your Kubernetes cluster. Replace the placeholder `NAMESPACE_NAME` with your own namespace name. If `--namespace` is not given, AKO uses a namespace called `default`. Terminal window ```bash helm install aerospike-kubernetes-operator aerospike/aerospike-kubernetes-operator --namespace NAMESPACE_NAME --version=4.3.0 --set watchNamespaces="aerospike" ``` ### Check AKO logs AKO runs as two replicas by default for higher availability. Run the following command to follow the logs for the AKO pods. ```plaintext kubectl -n NAMESPACE_NAME logs -f deployments/aerospike-kubernetes-operator manager ``` Sample output: Terminal window ```shell 2026-01-08T14:27:14Z INFO setup Initializing webhook certificate watcher using provided certificates {"webhook-cert-path": "/tmp/k8s-webhook-server/serving-certs", "webhook-cert-name": "tls.crt", "webhook-cert-key": "tls.key"} 2026-01-08T14:27:14Z INFO controller-runtime.certwatcher Updated current TLS certificate 2026-01-08T14:27:14Z INFO setup Init aerospike-server config schemas 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.0.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.1.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.2.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "7.0.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "8.0.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "8.1.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.3.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.4.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "7.1.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "7.2.0"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/validate-asdb-aerospike-com-v1-aerospikecluster"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1-aerospikecluster"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2026-01-08T14:27:14Z INFO eviction-webhook Eviction webhook metrics registered 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-eviction"} 2026-01-08T14:27:14Z INFO setup Adding webhook certificate watcher to manager 2026-01-08T14:27:14Z INFO setup Starting manager 2026-01-08T14:27:14Z INFO starting server {"name": "health probe", "addr": "[::]:8081"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Starting webhook server 2026-01-08T14:27:14Z INFO setup disabling http/2 2026-01-08T14:27:14Z INFO controller-runtime.webhook Serving webhook server {"host": "", "port": 9443} ``` ### Grant permissions to the target namespaces (required before creating clusters) AKO is installed in the namespace that you chose in step 2 in the “Install AKO” section. Grant additional permissions by configuring ServiceAccounts and RoleBindings or ClusterRoleBindings for the target Kubernetes namespace where the Aerospike clusters are created. AKO can only create Aerospike clusters in namespaces where it has been granted the `aerospike-cluster` role. For a first‑time setup, grant permissions to a single namespace used for your test cluster. You can use the `kubectl` or `akoctl` tools to grant permissions for the `aerospike` namespace. - [kubectl](#tab-panel-3045) - [akoctl](#tab-panel-3046) 1. Create the Kubernetes namespace if it doesn’t already exist. ```plaintext kubectl create namespace aerospike ``` 2. Create a service account. ```plaintext kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager ``` 3. Create a RoleBinding or ClusterRoleBinding to attach this service account to the `aerospike-cluster` ClusterRole. This ClusterRole is created as part of AKO installation and grants Aerospike cluster permissions to the service account. - For using the Kubernetes native pod-only network to connect to the Aerospike cluster: 1. Create a RoleBinding with the following command: ```plaintext kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` - For connecting to the Aerospike cluster from outside Kubernetes: 1. Create a ClusterRoleBinding with the following command: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` Add multiple `--serviceaccount` parameters to the previous command to attach multiple service accounts of different namespaces at one time. Example: To attach service accounts of the aerospike and aerospike1 namespaces: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager ``` 2. If the required ClusterRoleBinding already exists in the cluster, edit it to attach a new service account. ```plaintext kubectl edit clusterrolebinding aerospike-cluster ``` 3. The `kubectl edit` command launches an editor. Append the following lines to the `subjects` section: ```plaintext kind: ServiceAccount name: aerospike-operator-controller-manager namespace: aerospike ``` 4. Save and ensure that the changes are applied. For instructions on installing the `akoctl` plugin, see [akoctl installation](https://aerospike.com/docs/kubernetes/manage/akoctl/#install-akoctl-with-krew-plugin-manager). - For using the Kubernetes native pod-only network to connect to the Aerospike cluster, grant namespace scope permissions: ```plaintext kubectl akoctl auth create -n aerospike --cluster-scope=false ``` - For connecting to the Aerospike cluster from outside Kubernetes, grant cluster scope permissions: ```plaintext kubectl akoctl auth create -n aerospike ``` To grant permissions for multiple namespaces at the same time, specify a comma-separated namespace list with the `-n` flag. ```plaintext kubectl akoctl auth create -n aerospike,aerospike1 ``` ## Configuration reference | Name | Description | Default | | --- | --- | --- | | `replicas` | Number of AKO replicas | `2` | | `operatorImage.repository` | AKO image repository | `aerospike/aerospike-kubernetes-operator` | | `operatorImage.tag` | AKO image tag | 4.3.0 | | `operatorImage.pullPolicy` | Image pull policy | `IfNotPresent` | | `imagePullSecrets` | Secrets containing credentials to pull AKO image from a private registry | `{}` (nil) | | `rbac.create` | Set this to `true` to let helm chart automatically create RBAC resources necessary for AKO | `true` | | `rbac.serviceAccountName` | If `rbac.create=false`, provide a service account name to be used with the AKO deployment | `default` | | `healthPort` | Health port | `8081` | | `metricsPort` | Metrics port | `8080` | | `certs.create` | Set this to `true` to let Helm chart automatically create certificates using `cert-manager` | `true` | | `certs.webhookServerCertSecretName` | Kubernetes secret name that contains webhook server certificates | `webhook-server-cert` | | `watchNamespaces` | Namespaces to watch. AKO watches for `AerospikeCluster` custom resources in these namespaces. | `default` | | `safePodEviction.enable` | Enable the eviction webhook to safely block Aerospike pod evictions during node maintenance. Also enables Prometheus metrics (`aerospike_ako_eviction_webhook_requests_total` with labels: eviction\_namespace, decision). | `false` | | `safePodEviction.timeoutSeconds` | Timeout in seconds that the Kubernetes API server waits for the safe pod eviction webhook to respond on each eviction request. | `20` | | `failedPodGracePeriodSeconds` | Grace period to delete/recover failed pods (in seconds) | `60` | | `aerospikeKubernetesInitRegistry` | Registry used to pull aerospike-init image | `docker.io` | | `resources` | Resource requests and limits for the AKO pods | `requests.cpu: 10m`, `requests.memory: 64Mi` , `limits.cpu: 200m`, `limits.memory: 256Mi` | | `affinity` | Affinity rules for the AKO deployment | `{}` (nil) | | `extraEnv` | Extra environment variables that are passed into the AKO pods | `{}` (nil) | | `nodeSelector` | Node selectors for scheduling the AKO pods based on node labels | `{}` (nil) | | `tolerations` | Tolerations for scheduling the AKO pods based on node taints | `{}` (nil) | | `annotations` | Annotations for the AKO deployment | `{}` (nil) | | `labels` | Labels for the AKO deployment | `{}` (nil) | | `podAnnotations` | Annotations for the AKO pods | `{}` (nil) | | `podLabels` | Labels for the AKO pods | `{}` (nil) | | `metricsService.labels` | Labels for the AKO metrics service | `{}` (nil) | | `metricsService.annotations` | Annotations for the AKO metrics service | `{}` (nil) | | `metricsService.port` | The AKO metrics service port | `8443` | | `metricsService.type` | The AKO metrics service type | `ClusterIP` | | `webhookService.labels` | Labels for the AKO webhook service | `{}` (nil) | | `webhookService.annotations` | Annotations for the AKO webhook service | `{}` (nil) | | `webhookService.port` | The AKO webhook service port | `443` | | `webhookService.targetPort` | The AKO webhook target port | `9443` | | `webhookService.type` | The AKO webhook service type | `ClusterIP` | | `podSecurityContext` | Security context for the AKO pods | `{}` (nil) | | `securityContex.allowPrivilegeEscalation` | Set `allowPrivilegeEscalation` in Security context for the AKO container | `false` | | `livenessProbe` | Liveliness probe for the AKO container | `initialDelaySeconds: 15`, `periodSeconds: 20`, `timeoutSeconds: 1`, `successThreshold: 1`, `failureThreshold: 3` | | `readinessProbe` | Readiness probe for the AKO container | `initialDelaySeconds: 5`, `periodSeconds: 10`, `timeoutSeconds: 1`, `successThreshold: 1`, `failureThreshold: 3` | ## Next steps AKO is now installed and watching the namespaces you configured. - To deploy your first Aerospike cluster with Helm, continue to [Use Helm to create an Aerospike Cluster on Kubernetes](https://aerospike.com/docs/kubernetes/4.3.x/install/deploy/helm). - For a step‑by‑step tutorial including AKO and a sample cluster on GKE or EKS, see [Get started with AKO in the cloud](https://aerospike.com/docs/kubernetes/4.3.x/learn/get-started-cloud/).