# Use kubectl to create an Aerospike cluster on Kubernetes To deploy an Aerospike Database Enterprise Edition (EE) cluster with AKO, create an Aerospike custom resource (CR) file with the cluster parameters, such as the number of Aerospike Database instances, Aerospike configuration, and system resources. Then use `kubectl` to apply that configuration to your Kubernetes cluster(s). The Aerospike Kubernetes Operator can deploy multiple Aerospike clusters within one or more Kubernetes namespaces. ## Prerequisites Before deploying your Aerospike cluster, install the Aerospike Kubernetes Operator on your Kubernetes cluster(s) using either: - [OLM](https://aerospike.com/docs/kubernetes/install/olm) - [Helm](https://aerospike.com/docs/kubernetes/install/helm) ## Deploy Aerospike Database with AKO 1. Prepare the namespace. ::: note If you have already created and granted AKO permissions for a namespace, you can skip this step and go directly to storage configuration. ::: Aerospike recommends using at least one namespace called `aerospike` for Aerospike clusters instead of AKO’s namespace for your clusters. If this is your first cluster to be launched, create and provide access for AKO to use this namespace. In Kubernetes 1.23 and later, Pod Security Admission (PSA) is enabled by default. Make sure the namespace where the Aerospike cluster is installed has either `baseline` or `privileged` Pod Security Standard level set. The `restricted` level is not supported by Aerospike. The default Pod Security Standard level in Kubernetes 1.23 is `privileged`. For more details, see [Apply Pod Security Standards](https://kubernetes.io/docs/tutorials/security/ns-level-pss/). You can use the `kubectl` or `akoctl` tools to grant permissions for the `aerospike` namespace. - [kubectl](#tab-panel-927) - [akoctl](#tab-panel-928) 1. Create the Kubernetes namespace if it doesn’t already exist. ```plaintext kubectl create namespace aerospike ``` 2. Create a service account. ```plaintext kubectl -n aerospike create serviceaccount aerospike-operator-controller-manager ``` 3. Create a RoleBinding or ClusterRoleBinding to attach this service account to the `aerospike-cluster` ClusterRole. This ClusterRole is created as part of AKO installation and grants Aerospike cluster permissions to the service account. - For using the Kubernetes native pod-only network to connect to the Aerospike cluster: 1. Create a RoleBinding with the following command: ```plaintext kubectl -n aerospike create rolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` - For connecting to the Aerospike cluster from outside Kubernetes: 1. Create a ClusterRoleBinding with the following command: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager ``` Add multiple `--serviceaccount` parameters to the previous command to attach multiple service accounts of different namespaces at one time. Example: To attach service accounts of the aerospike and aerospike1 namespaces: ```plaintext kubectl create clusterrolebinding aerospike-cluster --clusterrole=aerospike-cluster --serviceaccount=aerospike:aerospike-operator-controller-manager --serviceaccount=aerospike1:aerospike-operator-controller-manager ``` 2. If the required ClusterRoleBinding already exists in the cluster, edit it to attach a new service account. ```plaintext kubectl edit clusterrolebinding aerospike-cluster ``` 3. The `kubectl edit` command launches an editor. Append the following lines to the `subjects` section: ```plaintext kind: ServiceAccount name: aerospike-operator-controller-manager namespace: aerospike ``` 4. Save and ensure that the changes are applied. For instructions on installing the `akoctl` plugin, see [akoctl installation](https://aerospike.com/docs/kubernetes/manage/akoctl/#install-akoctl-with-krew-plugin-manager). - For using the Kubernetes native pod-only network to connect to the Aerospike cluster, grant namespace scope permissions: ```plaintext kubectl akoctl auth create -n aerospike --cluster-scope=false ``` - For connecting to the Aerospike cluster from outside Kubernetes, grant cluster scope permissions: ```plaintext kubectl akoctl auth create -n aerospike ``` To grant permissions for multiple namespaces at the same time, specify a comma-separated namespace list with the `-n` flag. ```plaintext kubectl akoctl auth create -n aerospike,aerospike1 ``` 2. Create your Aerospike cluster configuration file. The Aerospike Kubernetes Operator GitHub repository contains example YAML CR files for different types of cluster deployment. These files are located in [the main Aerospike Kubernetes Operator repository](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.3.0/config/samples). See the [cluster configuration reference page](https://aerospike.com/docs/database/manage/database/as-config) for details of each parameter. 3. Configure your storage class. ::: note AKO works with dynamically-provisioned storage classes. Aerospike Database pods may have different storage volumes associated with each service. ::: Persistent storage on the pods support a variety of storage class provisioners. You can access and download [sample storage class files](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.3.0/config/samples/storage) in the AKO GitHub repository. Apply one of the following sample storage classes based on your Kubernetes environment: - EKS: `kubectl apply -f eks_ssd_storage_class.yaml` - GCE: `kubectl apply -f gce_ssd_storage_class.yaml` - AKS: `kubectl apply -f aks_ssd_storage_class.yaml` - Microk8s: `kubectl apply -f microk8s_filesystem_storage_class.yaml` - Minikube: Minikube does not require a custom storage class. You can use the default Minikube storage class. These file paths assume that you are running commands from the folder containing the files. If not, replace the file name with the full path to the sample file. See [Storage Provisioning](https://aerospike.com/docs/kubernetes/manage/storage/storage-provisioning) for more details on configuring persistent storage. 4. Create secrets to set up features like the feature-key file (`features.conf`), Aerospike authentication, TLS, and the cluster admin password. See the [Manage TLS Certificates](https://aerospike.com/docs/kubernetes/manage/security/certificates) section for more details. The [example secrets directory on GitHub](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.3.0/config/samples/secrets) includes a collection of example TLS certificates and security credentials. Download these files into a local folder called `secrets`. 5. Add your `features.conf` feature-key file to the `secrets` directory. 6. Apply the secrets as a Kubernetes Secret with the following command. Terminal window ```bash kubectl -n aerospike create secret generic aerospike-secret --from-file=secrets ``` To create a Secret containing the password for the Aerospike cluster admin user: Terminal window ```bash kubectl -n aerospike create secret generic auth-secret --from-literal=password='admin123' ``` 7. Create the Aerospike cluster custom resource (CR) file. See [cluster configuration settings](https://aerospike.com/docs/kubernetes/reference/config-reference) for details on the parameters available in the Aerospike cluster CR file. You can find sample Aerospike cluster CR files for different configurations in [the AKO GitHub repository](https://github.com/aerospike/aerospike-kubernetes-operator/tree/v4.3.0/config/samples). You can edit the CR file at any time to make changes and manage the Aerospike cluster. 8. Deploy the Aerospike cluster. Use the Aerospike cluster custom resource YAML file (CR file) you created in the previous step to deploy an Aerospike cluster. Terminal window ```bash kubectl apply -f CUSTOM_RESOURCE_FILE.yaml ``` For example, to use the [dim\_nostorage\_cluster\_cr.yaml](https://github.com/aerospike/aerospike-kubernetes-operator/blob/v4.3.0/config/samples/dim_nostorage_cluster_cr.yaml) file, download it and apply it to your cluster with the following command: Terminal window ```bash kubectl apply -f dim_nostorage_cluster_cr.yaml ``` To deploy a non-root Aerospike cluster, see [Create Non-root Aerospike Cluster](https://aerospike.com/docs/kubernetes/manage/security/nonroot-cluster#create-aerospike-cluster-custom-resource-cr). 9. Run `kubectl get statefulset` to ensure AKO has created the StatefulSets for the custom resource. Terminal window ```bash kubectl get statefulset -n aerospike ``` Output Terminal window ```bash NAME READY AGE aerocluster-0 2/2 24s ``` 10. Run `kubectl get pods` to check the pods to confirm the status. This step may take time as the pods provision resources, initialize, and are ready. Wait for the pods to switch to the Running state before you continue. Terminal window ```bash kubectl get pods -n aerospike ``` Output Terminal window ```bash NAME READY STATUS RESTARTS AGE aerocluster-0-0 1/1 Running 0 48s aerocluster-0-1 1/1 Running 0 48s ``` If the Aerospike cluster pods do not switch to Running status in a few minutes, refer to the [Troubleshooting Guide](https://aerospike.com/docs/kubernetes/reference/troubleshooting).