Install Kubernetes cluster-level resources separately

This guide shows you how to install and manage Kubernetes cluster-level resources separately from the main Mission Control installation. This functionality was introduced in Mission Control version 1.12.0 and allows for better separation of responsibilities between Kubernetes cluster administrators and application users.

Use this approach when:

  • Different teams manage cluster-level resources and application deployments

  • You need to apply cluster-scoped resources with elevated privileges

  • You want more control over the installation process

  • Your organization requires separation of cluster administration and application management

Prerequisites

Before you begin, ensure you have:

Extract cluster-level resources

Use the mcctl tool to extract all cluster-scoped resources from the Mission Control Helm chart:

# Log in to the helm registry
helm registry login registry.replicated.com --username USERNAME --password PASSWORD

# Extract cluster-scoped resources
./mcctl helm admin RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
  --namespace NAMESPACE \
  --version VERSION \
  --set "loki.loki.schemaConfig.configs[0].object_store=s3" \
  --output-dir .

Replace the following:

  • USERNAME: The Helm registry username

  • PASSWORD: The Helm registry password

  • RELEASE_NAME: The name for your release

  • NAMESPACE: The namespace where you want to install Mission Control

  • VERSION: The Mission Control version to install

You can use --set "loki.loki.schemaConfig.configs[0].object_store=s3" to work around a sanity check performed in the Helm chart to allow rendering the manifests.

The version is optional if you want to use the latest, but is recommended to avoid a drift between the manifest generation and the Helm installation versions.

This command generates a file named <release-name>-cluster-resources.yaml containing all cluster-scoped resources, including:

  • Custom Resource Definitions (CRDs)

  • ClusterRoles

  • ClusterRoleBindings

  • Other cluster-scoped resources

Apply cluster-level resources

Apply the extracted cluster-scoped resources using kubectl with admin privileges:

kubectl apply -f RELEASE_NAME-cluster-resources.yaml --server-side --force-conflicts --namespace NAMESPACE

Replace the following:

  • RELEASE_NAME: The name of the release

  • NAMESPACE: The namespace where you want to install Mission Control

You must have cluster-admin privileges to apply these resources. The --server-side --force-conflicts flags ensure that the resources are applied correctly even if there are conflicts with existing resources.

Install Mission Control with cluster resources disabled

After applying the cluster-level resources, install Mission Control using Helm with cluster-scoped resources disabled:

helm install RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
  --namespace NAMESPACE \
  --set global.clusterScopedResources=false \
  --set dex.rbac.createClusterScoped=false \
  --set kube-state-metrics.rbac.create=false \
  --skip-crds \
  --no-hooks \
  --version VERSION

Replace the following:

  • RELEASE_NAME: The name of the release

  • NAMESPACE: The namespace where you want to install Mission Control

  • VERSION: The Mission Control version to install

Key parameters:

  • global.clusterScopedResources=false: Disables creation of cluster-scoped resources

  • dex.rbac.createClusterScoped=false: Prevents Dex from creating cluster-scoped RBAC resources

  • kube-state-metrics.rbac.create=false: Prevents kube-state-metrics from creating RBAC resources

  • --skip-crds: Skips CRD installation since you already applied them

  • --no-hooks: Skips hooks that might try to create cluster-scoped resources

  • --namespace: Target installation namespace. It must be the same namespace that you used to generate the cluster-level manifests

  • --version: The version of Mission Control to install. Must match the version that you used to generate the cluster-level manifests

Verify the installation

Verify that Mission Control is running correctly:

kubectl get pods -n NAMESPACE

Replace NAMESPACE with the namespace where you installed Mission Control.

You should see all Mission Control components running successfully.

Configure additional options

You can customize the installation by creating a values file with additional settings:

# values.yaml
global:
  clusterScopedResources: false

dex:
  rbac:
    createClusterScoped: false

kube-state-metrics:
  rbac:
    create: false

# Add other customizations as needed

Then use this file during installation:

helm install RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
  --namespace NAMESPACE \
  --create-namespace \
  -f values.yaml \
  --skip-crds \
  --no-hooks \
  --version VERSION

Replace the following:

  • RELEASE_NAME: The name of the release

  • NAMESPACE: The namespace where you want to install Mission Control

  • VERSION: The Mission Control version to install

Upgrade Mission Control with separate cluster resources

When upgrading Mission Control with separate cluster resources, you must upgrade the cluster-scoped resources first, then update the Helm chart. This ensures that all resources stay in sync.

  1. Extract the new cluster-scoped resources using mcctl:

    # Log in to the helm registry
helm registry login registry.replicated.com --username USERNAME --password PASSWORD

# Extract cluster-scoped resources
./mcctl helm admin RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
  --namespace NAMESPACE \
  --version NEW_VERSION \
  --set "loki.loki.schemaConfig.configs[0].object_store=s3" \
  --output-dir .

    Replace the following:

    • USERNAME: The Helm registry username

    • PASSWORD: The Helm registry password

    • RELEASE_NAME: The name of the release

    • NAMESPACE: The namespace where you installed Mission Control

    • NEW_VERSION: The new Mission Control version to upgrade to

  2. Apply the updated cluster-scoped resources:

    kubectl apply -f RELEASE_NAME-cluster-resources.yaml --server-side --force-conflicts --namespace NAMESPACE

    Replace the following:

    • RELEASE_NAME: The name of the release

    • NAMESPACE: The namespace where you installed Mission Control

  3. Upgrade the Helm release with cluster-scoped resources disabled:

    helm upgrade RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
  --namespace NAMESPACE \
  --set global.clusterScopedResources=false \
  --set dex.rbac.createClusterScoped=false \
  --set kube-state-metrics.rbac.create=false \
  --skip-crds \
  --no-hooks \
  --version NEW_VERSION

    Replace the following:

    • RELEASE_NAME: The name of the release

    • NAMESPACE: The namespace where you installed Mission Control

    • NEW_VERSION: The new Mission Control version to upgrade to

      The following arguments are important to successfully applying the upgrade:

    • global.clusterScopedResources=false: Disables creation of cluster-scoped resources

    • dex.rbac.createClusterScoped=false: Prevents Dex from creating cluster-scoped RBAC resources

    • kube-state-metrics.rbac.create=false: Prevents kube-state-metrics from creating RBAC resources

    • --skip-crds: Skips CRD installation since you already applied them

    • --no-hooks: Skips hooks that might try to create cluster-scoped resources

  4. Verify the upgrade by checking the cluster-scoped resources:

    kubectl get crds | grep missioncontrol
kubectl get clusterroles | grep mission-control
kubectl get clusterrolebindings | grep mission-control

Troubleshoot installation issues

If you encounter problems during installation:

  1. Verify that all cluster-scoped resources were applied correctly:

    kubectl get crds | grep missioncontrol
kubectl get clusterroles | grep mission-control
kubectl get clusterrolebindings | grep mission-control

  2. Check the Mission Control operator logs:

    kubectl logs -n NAMESPACE -l app.kubernetes.io/name=mission-control

    Replace NAMESPACE with the namespace where you installed Mission Control.

  3. Ensure all required namespaces exist:

    kubectl get namespace NAMESPACE

    Replace NAMESPACE with the name of the namespace where you installed Mission Control.

Security best practices

When managing cluster-scoped resources:

  • Secure the cluster-scoped resources manifest file as it contains sensitive configuration.

  • Use a GitOps workflow to manage the cluster-scoped resources.

  • Review and update the cluster-scoped resources regularly.

  • Apply the principle of least privilege when assigning permissions.

  • Store the cluster resources manifest in a secure location with proper access controls.

  • Use version control to track changes to cluster-scoped resources.

See also

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com