Operator Scope

[sunnyyip]

Hello maintainers,

I have some questions regarding the operator.scope parameter per the README.

I'm using helm.sh/chart: kube-arangodb-1.2.32

1. Is the default "legacy" scoped to the cluster - i.e. it oversees all ArangoDeployment kind across all namespaces?

If so, does it require additional permission/rbac config for it to work apart from the clusterrole/binding that comes with the chart?
I ask because I deployed the operator to a dedicated (common) namespace and created ArangoDeployment in another (app) namespace but the operator doesn't see or take no action on the ArangoDeployment object. Nothing new nor error is written to the logs.

If not, how does it work compare to the "namespaced" scope?

2. What is the recommended scope setting for a production multi-tenant K8s cluster? i.e. a cluster that will run multiple Arango DBs for different apps in its own namespace.

Thank you

[ajanikow]

Hello!

• Legacy mode is the old mode, which required Cluster and Namespaced roles (for example RO access to Nodes, Volumes etc). This mode still manages deployments only in the scope of a single Namespace. It requires access to the ClusterRole.
• Namespaced mode uses only Namespace resources (can be deployed by the use limited to single Namespace). It does not require access to the ClusterRole.

Both scopes have the same functionality (use different mechanisms) and do not have an influence on code (The operator discovers access in the runtime, and is able to adjust to the RBAC changes).

This will be changed to only 'namespaced' in the next few releases.

Best,
Adam.

[sunnyyip]

Thanks @ajanikow for the explanation! It sounds like "namespaced" scope is the way to go for new deployment anticipating the change to that model in near future.