Install Mission Control with Helm using separate cluster resources

This guide shows you how to install Mission Control in environments where you must manage cluster-scoped resources separately from the main installation. Use this approach when:

  • Different teams manage cluster-level resources and application deployments

  • You need to apply cluster-scoped resources with elevated privileges

  • You want more control over the installation process

Prerequisites

Before you begin, ensure you have:

Install Mission Control

To install Mission Control with Helm using separate cluster resources, complete these steps:

  1. Extract all cluster-scoped resources from the Mission Control chart using the mcctl tool:

# Log in to the helm registry
helm registry login registry.replicated.com --username USERNAME --password PASSWORD

# Extract cluster-scoped resources
./mcctl helm admin RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control --namespace NAMESPACE --version VERSION --set "loki.loki.schemaConfig.configs[0].object_store=s3" --output-dir .

You can use --set "loki.loki.schemaConfig.configs[0].object_store=s3" to work around a sanity check performed in the Helm chart to allow rendering the manifests.

Replace the following parameters:

  • USERNAME: The Helm registry username

  • PASSWORD: The Helm registry password

  • RELEASE_NAME: The name for your release

  • NAMESPACE: The namespace where you want to install Mission Control

  • VERSION: The Mission Control version to install

The version is optional if you want to use the latest, but is recommended to avoid a drift between the manifest generation and the Helm installation versions. It will take the form <major>.<minor>.<patch>, for example 1.12.0.

This generates a file named <release-name>-cluster-resources.yaml containing all cluster-scoped resources, including Custom Resource Definitions (CRDs), ClusterRoles, ClusterRoleBindings, and other cluster-scoped resources.

  1. Apply the extracted cluster-scoped resources using kubectl with admin privileges, after creating the target namespace:

kubectl apply -f RELEASE_NAME-cluster-resources.yaml --server-side --force-conflicts --namespace NAMESPACE

Replace the following:

  • RELEASE_NAME: The name of the release

  • NAMESPACE: The namespace where you want to install Mission Control

    1. Install Mission Control using Helm with cluster-scoped resources disabled:

helm install RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
  --namespace NAMESPACE \
  --set global.clusterScopedResources=false \
  --set dex.rbac.createClusterScoped=false \
  --set kube-state-metrics.rbac.create=false \
  --skip-crds \
  --no-hooks \
  --version VERSION

Replace the following:

  • RELEASE_NAME: The name of the release

  • NAMESPACE: The namespace where you want to install Mission Control

  • VERSION: The Mission Control version to install

Key parameters:

  • global.clusterScopedResources=false: Disables creation of cluster-scoped resources.

  • dex.rbac.createClusterScoped=false: Prevents Dex from creating cluster-scoped RBAC resources.

  • kube-state-metrics.rbac.create=false: Prevents kube-state-metrics from creating RBAC resources.

  • --skip-crds: Skips CRD installation since you already applied them.

  • --no-hooks: Skips hooks that might try to create cluster-scoped resources.

  • --namespace: Target installation namespace. It must be the same namespace that you used to generate the cluster-level manifests.

  • --version: The version of Mission Control to install. Must match the version that you used to generate the cluster-level manifests.

    1. Verify that Mission Control is running correctly:

kubectl get pods -n NAMESPACE

Replace NAMESPACE with the namespace where you installed Mission Control.

Configure additional options

You can customize the installation by creating a values file with additional settings, for example:

# values.yaml
global:
  clusterScopedResources: false

dex:
  rbac:
    createClusterScoped: false

kube-state-metrics:
  rbac:
    create: false

# Add other customizations as needed

Then use this file during installation:

helm install RELEASE_NAME oci://registry.replicated.com/mission-control/<channel>/mission-control \
  --namespace NAMESPACE \
  --create-namespace \
  -f values.yaml \
  --skip-crds \
  --no-hooks

Replace the following:

  • RELEASE_NAME: The name of the release

  • NAMESPACE: The namespace where you want to install Mission Control

  • VERSION: The Mission Control version to install

Upgrade Mission Control with separate cluster resources

When upgrading Mission Control with separate cluster resources, you must upgrade the cluster-scoped resources first, then update the Helm chart. This ensures that all resources stay in sync.

  1. Extract the new cluster-scoped resources using mcctl:

# Log in to the helm registry
helm registry login registry.replicated.com --username USERNAME --password PASSWORD

# Extract cluster-scoped resources
./mcctl helm admin RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
  --namespace NAMESPACE \
  --version NEW_VERSION \
  --set "loki.loki.schemaConfig.configs[0].object_store=s3" \
  --output-dir .

Replace the following:

  • USERNAME: The Helm registry username

  • PASSWORD: The Helm registry password

  • RELEASE_NAME: The name of the release

  • NAMESPACE: The namespace where you installed Mission Control

  • NEW_VERSION: The new Mission Control version to upgrade to

    1. Apply the updated cluster-scoped resources:

kubectl apply -f RELEASE_NAME-cluster-resources.yaml --server-side --force-conflicts --namespace NAMESPACE

Replace the following:

  • RELEASE_NAME: The name of the release

  • NAMESPACE: The namespace where you installed Mission Control

    1. Upgrade the Helm release with cluster-scoped resources disabled:

helm upgrade RELEASE_NAME oci://registry.replicated.com/mission-control/stable/mission-control \
  --namespace NAMESPACE \
  --set global.clusterScopedResources=false \
  --set dex.rbac.createClusterScoped=false \
  --set kube-state-metrics.rbac.create=false \
  --skip-crds \
  --no-hooks \
  --version NEW_VERSION

Replace the following:

  • RELEASE_NAME: The name of the release

  • NAMESPACE: The namespace where you installed Mission Control

  • NEW_VERSION: The new Mission Control version to upgrade to

The following arguments are important to successfully applying the upgrade:

  • global.clusterScopedResources=false: Disables creation of cluster-scoped resources.

  • dex.rbac.createClusterScoped=false: Prevents Dex from creating cluster-scoped RBAC resources.

  • kube-state-metrics.rbac.create=false: Prevents kube-state-metrics from creating RBAC resources.

  • --skip-crds: Skips CRD installation since you already applied them.

  • --no-hooks: Skips hooks that might try to create cluster-scoped resources.

    1. Verify the upgrade by checking the cluster-scoped resources:

kubectl get crds | grep missioncontrol
kubectl get clusterroles | grep mission-control
kubectl get clusterrolebindings | grep mission-control

Troubleshoot installation issues

If you encounter problems during installation:

  1. Verify that all cluster-scoped resources were applied correctly:

kubectl get crds | grep missioncontrol
kubectl get clusterroles | grep mission-control
kubectl get clusterrolebindings | grep mission-control
  1. Check the Mission Control operator logs:

kubectl logs -n NAMESPACE -l app.kubernetes.io/name=mission-control

Replace NAMESPACE with the namespace where you installed Mission Control.

  1. Ensure all required namespaces exist:

kubectl get namespace NAMESPACE

Replace NAMESPACE with the name of the namespace where you installed Mission Control.

Security best practices

When managing cluster-scoped resources:

  • Secure the cluster-scoped resources manifest file, as it contains sensitive configuration.

  • Use a GitOps workflow to manage the cluster-scoped resources.

  • Review and update the cluster-scoped resources regularly.

  • Apply the principle of least privilege when assigning permissions.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com