Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Migrating a namespace-scoped Operator to a cluster-scoped Operator

June 26, 2020
Abhishek Koserwal
Related topics:
DevOpsKubernetesOperators

Share:

    Within the context of Kubernetes, a namespace allows dividing resources, policies, authorization, and a boundary for cluster objects. In this article, we cover two different types of Operators: namespace-scoped and cluster-scoped. We then walk through an example of how to migrate from one to the other, which illustrates the difference between the two.

    Namespace-scoped and cluster-scoped

    A namespace-scoped Operator is defined within the boundary of a namespace with the flexibility to handle upgrades without impacting others. It watches objects within that namespace and maintains Role and RoleBinding for role-based access control (RBAC) policies for accessing the resource.

    Meanwhile, a cluster-scoped Operator promotes reusability and manages defined resources across the cluster. It watches all namespaces in a cluster and maintains ClusterRole and ClusterRoleBinding for RBAC policies for authorizing cluster objects. Two examples of cluster-scoped operators are istio-operator and cert-manager. The istio-operator can be deployed as a cluster-scoped to manage the service mesh for an entire cluster, while the cert-manager is used to issue certificates for an entire cluster.

    These two types of Operators support both types of installation based on your requirements. In the case of a cluster-scoped Operator, upgrading the Operator version can impact resources managed by the Operator in the entire cluster, as compared to upgrading the namespace-scoped Operator, which will be easier to upgrade as it only affects the resource within its scope.

    Migration guide: Namespace-scoped to cluster-scoped

    Let's generate two Operators: namespace-scope-op and cluster-scope-op using operator-sdk:

    $ operator-sdk new namespace-scope-op
    $ operator-sdk new cluster-scope-op

    By default, both Operators are namespace-scoped. Let’s add the kind type Foo to both of these Operators:

    $ operator-sdk add api --api-version=foo.example.com/v1alpha1 --kind=Foo

    I’ll now make changes to the cluster-scope Operator to show how it is different from the namespace-scope Operator.

    Step 1: Watch all of the namespaces

    The first change we need to make in the cluster-scope-op Operator is keeping the namespace option set to empty. To watch all of the namespaces, run:

    $ cluster-scope-op/cmd/manager/main.go

    Figure 1 shows the difference between the results for cluster-scope on the left and namespace-scope on the right.

    Comparison: Watching all of the namespaces
    Figure 1: Comparison: Watching all of the namespaces.

    Step 2: Update the added API schema's scope

    Next, we need to update our API type: *_types.go. If you were setting the namespace scope, you would use:

    // +kubebuilder:resource:path=foos,scope=Namespaced

    To set the cluster scope, use:

    // +kubebuilder:resource:path=foos,scope=Cluster

    Figure 2 shows the difference between the results for cluster-scope on the left and namespace-scope on the right.

    Screenshot of the output for both scopes
    Figure 2: Updating the added API schema's scope.

    Step 3: Generate the CRDs for the cluster-scope Operator

    Now it's time to generate the custom resource definitions (CRDs) for the cluster-scope Operator:

    cluster-scope-op-:$ operator-sdk generate crds
    INFO[0000] Running CRD generator.
    INFO[0000] CRD generation complete.

    Figure 3 shows that the generated CRD was updated for the cluster-scope Operator (on the left) in *crd*.yaml.

    screenshot showing the changed CRD on the left
    Figure 3: Generating the CRDs for cluster-scope.

    Step 4: Update the kind type

    At this point, we update the kind type for Role/RoleBinding to ClusterRole/ClusterRoleBinding.  First, update the kind type from Roleto ClusterRole in role.yaml:

    kind: ClusterRole

    Then, update the kind typeRoleBinding to ClusterRoleBinding and the kind roleRef to ClusterRole in role_binding.yaml:

    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: cluster-scope-op
    subjects:
    - kind: ServiceAccount
      name: cluster-scope-op
      namespace: ${NAMESPACE}
    roleRef:
      kind: ClusterRole
      name: cluster-scope-op
      apiGroup: rbac.authorization.k8s.io

    Caution: The exact resource/verb needed should be specified in the cluster role. Avoid using a wildcard (*) permission for security concerns when defining cluster roles.

    The cluster-scoped Operator will be deployed under a namespace, but the Operator is used to manage the resources in a cluster-wide scope. As compared to namespace scoped Operator, which is deployed under a namespace, but only manage resources under that namespace.

    Step 5: Update the WATCH_NAMESPACE

    Finally, we can add a controller by updating WATCH_NAMESPACE to an empty string in operator.yaml:

    $ operator-sdk add controller --api-version=cache.example.com/v1alpha1 --kind=Foo

    Figure 4 shows how this section looks now for the cluster-scope Operator (on the left) compared to the namespace-scope on the right.

    Cluster namescape scoped operator 4
    Figure 4: Updating the WATCH_NAMESPACE.

    Keep in mind that you need watchers that are entitled to watch the object within the cluster, which are generated by default for the primary object.

    Operator Lifecycle Manager

    If you want to use the Operator Lifecycle Manager (OLM) for deploying the Operator, you can generate the CSV using the command:

    $ operator-sdk generate csv --csv-version 0.0.1

    You can support installModes as you see in this CSV. By default, this CSV supports all installModes:

    installModes:- supported: true
    type: OwnNamespace- supported: true
    type: SingleNamespace- supported: false
    type: MultiNamespace- supported: true
    type: AllNamespaces

    You can also define an Operator group. An OperatorGroup is an OLM resource that provides multitenant configuration to OLM-installed Operators:

    apiVersion: operators.coreos.com/v1
    kind: OperatorGroup
    metadata:
      name: my-group
      namespace: my-namespace
    spec:
      targetNamespaces:
      - my-namespace
      - my-other-namespace
      - my-other-other-namespace

    Conclusion

    This is all you need to know in order to make your namespace Operator into a cluster-scoped Operator. Both Operator examples can be found in this repo.

    Last updated: June 25, 2020

    Recent Posts

    • Storage considerations for OpenShift Virtualization

    • Upgrade from OpenShift Service Mesh 2.6 to 3.0 with Kiali

    • EE Builder with Ansible Automation Platform on OpenShift

    • How to debug confidential containers securely

    • Announcing self-service access to Red Hat Enterprise Linux for Business Developers

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue