Install Mission Control with Helm using separate cluster resources
This guide shows you how to install Mission Control in environments where you must manage cluster-scoped resources separately from the main installation. Use this approach when:
-
Different teams manage cluster-level resources and application deployments
-
You need to apply cluster-scoped resources with elevated privileges
-
You want more control over the installation process
Prerequisites
Before you begin, ensure you have:
-
A Kubernetes cluster with admin access
-
Helm CLI v3.16.0 - v3.17.0 installed
Mission Control doesn’t support Helm v3.18.0 or later.
-
The Mission Control CLI tool
mcctlinstalled: -
Access to the Mission Control container registry
Install Mission Control
To install Mission Control with Helm using separate cluster resources, complete these steps:
-
Extract all cluster-scoped resources from the Mission Control chart using the
mcctltool:
# Log in to the helm registry
helm registry login registry.replicated.com --username USERNAME --password PASSWORD
# Extract cluster-scoped resources
./mcctl helm admin RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control --namespace NAMESPACE --version VERSION --set "loki.loki.schemaConfig.configs[0].object_store=s3" --output-dir .|
You can use |
Replace the following parameters:
-
USERNAME: The Helm registry username -
PASSWORD: The Helm registry password -
RELEASE_NAME: The name for your release -
NAMESPACE: The namespace where you want to install Mission Control -
VERSION: The Mission Control version to install
The version is optional if you want to use the latest, but is recommended to avoid a drift between the manifest generation and the Helm installation versions.
It will take the form <major>.<minor>.<patch>, for example 1.12.0.
This generates a file named <release-name>-cluster-resources.yaml containing all cluster-scoped resources, including Custom Resource Definitions (CRDs), ClusterRoles, ClusterRoleBindings, and other cluster-scoped resources.
-
Apply the extracted cluster-scoped resources using kubectl with admin privileges, after creating the target namespace:
kubectl apply -f RELEASE_NAME-cluster-resources.yaml --server-side --force-conflicts --namespace NAMESPACEReplace the following:
-
RELEASE_NAME: The name of the release -
NAMESPACE: The namespace where you want to install Mission Control-
Install Mission Control using Helm with cluster-scoped resources disabled:
-
helm install RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
--namespace NAMESPACE \
--set global.clusterScopedResources=false \
--set dex.rbac.createClusterScoped=false \
--set kube-state-metrics.rbac.create=false \
--skip-crds \
--no-hooks \
--version VERSIONReplace the following:
-
RELEASE_NAME: The name of the release -
NAMESPACE: The namespace where you want to install Mission Control -
VERSION: The Mission Control version to install
Key parameters:
-
global.clusterScopedResources=false: Disables creation of cluster-scoped resources. -
dex.rbac.createClusterScoped=false: Prevents Dex from creating cluster-scoped RBAC resources. -
kube-state-metrics.rbac.create=false: Prevents kube-state-metrics from creating RBAC resources. -
--skip-crds: Skips CRD installation since you already applied them. -
--no-hooks: Skips hooks that might try to create cluster-scoped resources. -
--namespace: Target installation namespace. It must be the same namespace that you used to generate the cluster-level manifests. -
--version: The version of Mission Control to install. Must match the version that you used to generate the cluster-level manifests.-
Verify that Mission Control is running correctly:
-
kubectl get pods -n NAMESPACEReplace NAMESPACE with the namespace where you installed Mission Control.
Configure additional options
You can customize the installation by creating a values file with additional settings, for example:
# values.yaml
global:
clusterScopedResources: false
dex:
rbac:
createClusterScoped: false
kube-state-metrics:
rbac:
create: false
# Add other customizations as neededThen use this file during installation:
helm install RELEASE_NAME oci://registry.replicated.com/mission-control/<channel>/mission-control \
--namespace NAMESPACE \
--create-namespace \
-f values.yaml \
--skip-crds \
--no-hooksReplace the following:
-
RELEASE_NAME: The name of the release -
NAMESPACE: The namespace where you want to install Mission Control -
VERSION: The Mission Control version to install
Upgrade Mission Control with separate cluster resources
When upgrading Mission Control with separate cluster resources, you must upgrade the cluster-scoped resources first, then update the Helm chart. This ensures that all resources stay in sync.
-
Extract the new cluster-scoped resources using
mcctl:
# Log in to the helm registry
helm registry login registry.replicated.com --username USERNAME --password PASSWORD
# Extract cluster-scoped resources
./mcctl helm admin RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
--namespace NAMESPACE \
--version NEW_VERSION \
--set "loki.loki.schemaConfig.configs[0].object_store=s3" \
--output-dir .Replace the following:
-
USERNAME: The Helm registry username -
PASSWORD: The Helm registry password -
RELEASE_NAME: The name of the release -
NAMESPACE: The namespace where you installed Mission Control -
NEW_VERSION: The new Mission Control version to upgrade to-
Apply the updated cluster-scoped resources:
-
kubectl apply -f RELEASE_NAME-cluster-resources.yaml --server-side --force-conflicts --namespace NAMESPACEReplace the following:
-
RELEASE_NAME: The name of the release -
NAMESPACE: The namespace where you installed Mission Control-
Upgrade the Helm release with cluster-scoped resources disabled:
-
helm upgrade RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
--namespace NAMESPACE \
--set global.clusterScopedResources=false \
--set dex.rbac.createClusterScoped=false \
--set kube-state-metrics.rbac.create=false \
--skip-crds \
--no-hooks \
--version NEW_VERSIONReplace the following:
-
RELEASE_NAME: The name of the release -
NAMESPACE: The namespace where you installed Mission Control -
NEW_VERSION: The new Mission Control version to upgrade to
The following arguments are important to successfully applying the upgrade:
-
global.clusterScopedResources=false: Disables creation of cluster-scoped resources. -
dex.rbac.createClusterScoped=false: Prevents Dex from creating cluster-scoped RBAC resources. -
kube-state-metrics.rbac.create=false: Prevents kube-state-metrics from creating RBAC resources. -
--skip-crds: Skips CRD installation since you already applied them. -
--no-hooks: Skips hooks that might try to create cluster-scoped resources.-
Verify the upgrade by checking the cluster-scoped resources:
-
kubectl get crds | grep missioncontrol
kubectl get clusterroles | grep mission-control
kubectl get clusterrolebindings | grep mission-controlTroubleshoot installation issues
If you encounter problems during installation:
-
Verify that all cluster-scoped resources were applied correctly:
kubectl get crds | grep missioncontrol
kubectl get clusterroles | grep mission-control
kubectl get clusterrolebindings | grep mission-control-
Check the Mission Control operator logs:
kubectl logs -n NAMESPACE -l app.kubernetes.io/name=mission-controlReplace NAMESPACE with the namespace where you installed Mission Control.
-
Ensure all required namespaces exist:
kubectl get namespace NAMESPACEReplace NAMESPACE with the name of the namespace where you installed Mission Control.
Security best practices
When managing cluster-scoped resources:
-
Secure the cluster-scoped resources manifest file, as it contains sensitive configuration.
-
Use a GitOps workflow to manage the cluster-scoped resources.
-
Review and update the cluster-scoped resources regularly.
-
Apply the principle of least privilege when assigning permissions.
