# Install Aerospike Kubernetes Operator on OLM through OperatorHub In Kubernetes 1.23 and later, Pod Security Admission (PSA) is enabled by default. Make sure the namespace where the Aerospike Operator is installed has either `baseline` or `privileged` Pod Security Standard level set. The `restricted` level is not supported by Aerospike. The default Pod Security Standard level in Kubernetes 1.23 is `privileged`. For more details, see [Apply Pod Security Standards](https://kubernetes.io/docs/tutorials/security/ns-level-pss/). ## Prerequisites - [kubectl](https://kubernetes.io/docs/tasks/tools/) - A running Kubernetes cluster. - For a quick start, install [minikube](https://minikube.sigs.k8s.io/docs/start/?arch=%2Fmacos%2Farm64%2Fstable%2Fhomebrew) to create a local cluster. - See the [Kubernetes documentation](https://kubernetes.io/docs/setup/) to explore other options. ## Install AKO 1. Install the Operator Lifecycle Manager (OLM) on your Kubernetes cluster. Terminal window ```bash curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.32.0/install.sh | bash -s v0.32.0 ``` 2. Use `kubectl` to install AKO on your Kubernetes cluster using the YAML configuration file hosted on OperatorHub. Terminal window ```bash kubectl create -f https://operatorhub.io/install/aerospike-kubernetes-operator.yaml ``` 3. Verify that AKO’s Cluster Service Version (CSV) is in the `Succeeded` phase. Terminal window ```bash kubectl get csv -n operators aerospike-kubernetes-operator.v4.3.0 -w ``` Output You should see output similar to the following: Terminal window ```bash NAME DISPLAY VERSION REPLACES PHASE aerospike-kubernetes-operator.v4.3.0 Aerospike Kubernetes Operator 4.3.0 Succeeded ``` ### Check AKO logs AKO runs as two replicas by default for higher availability. Run the following command to follow the logs for the AKO pods. ```plaintext kubectl -n operators logs -f deployments/aerospike-operator-controller-manager manager ``` Sample output: Terminal window ```shell 2026-01-08T14:27:14Z INFO setup Initializing webhook certificate watcher using provided certificates {"webhook-cert-path": "/tmp/k8s-webhook-server/serving-certs", "webhook-cert-name": "tls.crt", "webhook-cert-key": "tls.key"} 2026-01-08T14:27:14Z INFO controller-runtime.certwatcher Updated current TLS certificate 2026-01-08T14:27:14Z INFO setup Init aerospike-server config schemas 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.0.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.1.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.2.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "7.0.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "8.0.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "8.1.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.3.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "6.4.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "7.1.0"} 2026-01-08T14:27:14Z DEBUG setup Config schema added {"version": "7.2.0"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1-aerospikecluster"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1, Kind=AerospikeCluster", "path": "/validate-asdb-aerospike-com-v1-aerospikecluster"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1-aerospikecluster"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackupService", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackupservice"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeBackup", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikebackup"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a mutating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/mutate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2026-01-08T14:27:14Z INFO controller-runtime.builder Registering a validating webhook {"GVK": "asdb.aerospike.com/v1beta1, Kind=AerospikeRestore", "path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-asdb-aerospike-com-v1beta1-aerospikerestore"} 2026-01-08T14:27:14Z INFO eviction-webhook Eviction webhook metrics registered 2026-01-08T14:27:14Z INFO controller-runtime.webhook Registering webhook {"path": "/validate-eviction"} 2026-01-08T14:27:14Z INFO setup Adding webhook certificate watcher to manager 2026-01-08T14:27:14Z INFO setup Starting manager 2026-01-08T14:27:14Z INFO starting server {"name": "health probe", "addr": "[::]:8081"} 2026-01-08T14:27:14Z INFO controller-runtime.webhook Starting webhook server 2026-01-08T14:27:14Z INFO setup disabling http/2 2026-01-08T14:27:14Z INFO controller-runtime.webhook Serving webhook server {"host": "", "port": 9443} ``` ### Grant permissions to the target namespaces Grant additional permissions by configuring ServiceAccounts and RoleBindings/ClusterRoleBindings for the target Kubernetes namespace where the Aerospike clusters are created. AKO is installed in the `operators` namespace on an OLM installation. You can use the `kubectl` or `akoctl` tools to grant permissions for the `aerospike` namespace. - [kubectl](#tab-panel-3049) - [akoctl](#tab-panel-3050) 1. Create the Kubernetes namespace if it doesn’t already exist. ```plaintext kubectl create namespace aerospike ``` 2. Create a service account. ```plaintext kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager ``` 3. Create a RoleBinding or ClusterRoleBinding to attach this service account to the `aerospike-cluster` ClusterRole. This ClusterRole is created as part of AKO installation and grants Aerospike cluster permissions to the service account. - For using the Kubernetes native pod-only network to connect to the Aerospike cluster: 1. Create a RoleBinding with the following command: ```plaintext kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` - For connecting to the Aerospike cluster from outside Kubernetes: 1. Create a ClusterRoleBinding with the following command: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` Add multiple `--serviceaccount` parameters to the previous command to attach multiple service accounts of different namespaces at one time. Example: To attach service accounts of the aerospike and aerospike1 namespaces: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager ``` 2. If the required ClusterRoleBinding already exists in the cluster, edit it to attach a new service account. ```plaintext kubectl edit clusterrolebinding aerospike-cluster ``` 3. The `kubectl edit` command launches an editor. Append the following lines to the `subjects` section: ```plaintext kind: ServiceAccount name: aerospike-operator-controller-manager namespace: aerospike ``` 4. Save and ensure that the changes are applied. For instructions on installing the `akoctl` plugin, see [akoctl installation](https://aerospike.com/docs/kubernetes/manage/akoctl/#install-akoctl-with-krew-plugin-manager). - For using the Kubernetes native pod-only network to connect to the Aerospike cluster, grant namespace scope permissions: ```plaintext kubectl akoctl auth create -n aerospike --cluster-scope=false ``` - For connecting to the Aerospike cluster from outside Kubernetes, grant cluster scope permissions: ```plaintext kubectl akoctl auth create -n aerospike ``` To grant permissions for multiple namespaces at the same time, specify a comma-separated namespace list with the `-n` flag. ```plaintext kubectl akoctl auth create -n aerospike,aerospike1 ``` ## Next steps AKO is now installed and watching the namespaces you configured. - To deploy your first Aerospike cluster, continue to [Create an Aerospike cluster on Kubernetes](https://aerospike.com/docs/kubernetes/4.3.x/install/deploy/kubectl). - For a step‑by‑step tutorial including AKO and a sample cluster on GKE or EKS, see [Get started with AKO in the cloud](https://aerospike.com/docs/kubernetes/4.3.x/learn/get-started-cloud/).