Install Mission Control with Helm using separate cluster resources
This guide shows you how to install Mission Control in environments where you must manage cluster-scoped resources separately from the main installation. Use this approach when:
-
Different teams manage cluster-level resources and application deployments
-
You need to apply cluster-scoped resources with elevated privileges
-
You want more control over the installation process
Prerequisites
Before you begin, ensure you have:
-
A Kubernetes cluster with admin access
-
Helm v3.14.0 - v3.18.0 installed
-
Access to the Mission Control container registry
Install Mission Control
To install Mission Control with Helm using separate cluster resources, complete these steps:
-
Add the Mission Control cluster objects Helm repository:
helm repo add mc-cluster-obj https://helm.k8ssandra.io/mission-control helm repo update
-
Install the cluster-scoped resources using the cluster objects chart:
helm install mc-cluster-obj mc-cluster-obj/mc-cluster-obj \ -n NAMESPACE \ --create-namespace \ --set targetReleaseName=RELEASE_NAME \ --set targetNamespace=NAMESPACE
Replace the following parameters:
-
RELEASE_NAME
: The name for your release. The release name cannot includemission-control
. Using a release name that includesmission-control
causes naming conflicts. -
NAMESPACE
: The namespace where you want to install Mission ControlThis step creates the namespace and installs all cluster-scoped resources, including Custom Resource Definitions (CRDs),
ClusterRoles
,ClusterRoleBindings
, and other cluster-scoped resources.
-
-
Log in to the Mission Control container registry:
helm registry login registry.replicated.com --username USERNAME --password PASSWORD
Replace the following:
-
USERNAME
: The Helm registry username -
PASSWORD
: The Helm registry password
-
-
Install Mission Control using Helm with cluster-scoped resources disabled:
helm install RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \ --namespace NAMESPACE \ --set global.clusterScopedResources=false \ --set dex.rbac.createClusterScoped=false \ --set kube-state-metrics.rbac.create=false \ --skip-crds \ --no-hooks
Replace the following:
-
RELEASE_NAME
: The name for your release. The release name cannot includemission-control
. Using a release name that includesmission-control
causes naming conflicts. The name must match thetargetReleaseName
used in step 2. -
NAMESPACE
: The namespace where you want to install Mission Control. The namespace must match thetargetNamespace
used in step 2.Key parameters:
-
global.clusterScopedResources=false
: Disables creation of cluster-scoped resources. -
dex.rbac.createClusterScoped=false
: Prevents Dex from creating cluster-scoped RBAC resources. -
kube-state-metrics.rbac.create=false
: Prevents kube-state-metrics from creating RBAC resources. -
--skip-crds
: Skips CRD installation since you already applied them. -
--no-hooks
: Skips hooks that might try to create cluster-scoped resources. -
--namespace
: Target installation namespace. This must match the namespace created in step 2.
-
-
Verify that Mission Control is running correctly:
kubectl get pods -n NAMESPACE
Replace
NAMESPACE
with the namespace where you installed Mission Control.
Configure additional options
You can customize the installation by creating a values file with additional settings, for example:
# values.yaml
global:
clusterScopedResources: false
dex:
rbac:
createClusterScoped: false
kube-state-metrics:
rbac:
create: false
# Add other customizations as needed
Then use this file during installation:
helm install RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
--namespace NAMESPACE \
-f values.yaml \
--skip-crds \
--no-hooks
Replace the following:
-
RELEASE_NAME
: The name for your release. The release name cannot includemission-control
. Using a release name that includesmission-control
causes naming conflicts. -
NAMESPACE
: The namespace where you want to install Mission Control
Upgrade Mission Control with separate cluster resources
When upgrading Mission Control with separate cluster resources, you must upgrade the cluster-scoped resources first, then update the Helm chart. This ensures that all resources stay in sync.
-
Update the cluster objects repository and upgrade the cluster-scoped resources:
helm repo update helm upgrade mc-cluster-obj mc-cluster-obj/mc-cluster-obj \ -n NAMESPACE \ --set targetReleaseName=RELEASE_NAME \ --set targetNamespace=NAMESPACE
Replace the following:
-
RELEASE_NAME
: The name for your release. The release name cannot includemission-control
. Using a release name that includesmission-control
causes naming conflicts. -
NAMESPACE
: The namespace where you installed Mission Control
-
-
Upgrade the Helm release with cluster-scoped resources disabled:
helm upgrade RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \ --namespace NAMESPACE \ --set global.clusterScopedResources=false \ --set dex.rbac.createClusterScoped=false \ --set kube-state-metrics.rbac.create=false \ --skip-crds \ --no-hooks
Replace the following:
-
RELEASE_NAME
: The name for your release. The release name cannot includemission-control
. Using a release name that includesmission-control
causes naming conflicts. -
NAMESPACE
: The namespace where you installed Mission ControlThe following arguments are important to successfully applying the upgrade:
-
global.clusterScopedResources=false
: Disables creation of cluster-scoped resources. -
dex.rbac.createClusterScoped=false
: Prevents Dex from creating cluster-scoped RBAC resources. -
kube-state-metrics.rbac.create=false
: Prevents kube-state-metrics from creating RBAC resources. -
--skip-crds
: Skips CRD installation since you already applied them. -
--no-hooks
: Skips hooks that might try to create cluster-scoped resources.
-
-
Verify the upgrade by checking the cluster-scoped resources:
kubectl get crds | grep missioncontrol kubectl get clusterroles | grep mission-control kubectl get clusterrolebindings | grep mission-control
Troubleshoot installation issues
If you encounter problems during installation:
-
Verify that all cluster-scoped resources were applied correctly:
kubectl get crds | grep missioncontrol kubectl get clusterroles | grep mission-control kubectl get clusterrolebindings | grep mission-control
-
Check the Mission Control operator logs:
kubectl logs -n NAMESPACE -l app.kubernetes.io/name=mission-control
Replace
NAMESPACE
with the namespace where you installed Mission Control. -
Ensure all required namespaces exist:
kubectl get namespace NAMESPACE
Replace
NAMESPACE
with the name of the namespace where you installed Mission Control.
Security best practices
When managing cluster-scoped resources:
-
Use a GitOps workflow to manage the cluster-scoped resources.
-
Review and update the cluster-scoped resources regularly.
-
Apply the principle of least privilege when assigning permissions.