Operator Lifecycle Manager

The Operator Lifecycle Manager (OLM) provides a declarative way to install and upgrade operators and their dependencies.

You can install the Starboard operator from OperatorHub.io or ArtifactHUB by creating the OperatorGroup, which defines the operator's multitenancy, and Subscription that links everything together to run the operator's pod.

As an example, let's install the operator from the OperatorHub catalog in the starboard-system namespace and configure it to watch the default namespaces:

1. Install the Operator Lifecycle Manager:

   curl -L https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.18.3/install.sh -o install.sh
   chmod +x install.sh
   ./install.sh v0.18.3
   

   or

   kubectl apply -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.18.3/crds.yaml
   kubectl apply -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.18.3/olm.yaml
   

2. Create the namespace to install the operator in:

   kubectl create ns starboard-system
   

3. Declare default as the target namespace by creating the OperatorGroup:

   cat << EOF | kubectl apply -f -
   apiVersion: operators.coreos.com/v1alpha2
   kind: OperatorGroup
   metadata:
     name: starboard-operator
     namespace: starboard-system
   spec:
     targetNamespaces:
     - default
   EOF
   

4. (Optional) Configure Starboard by creating the starboard ConfigMap and the starboard secret in the starboard-system namespace. For example, you can use Trivy in ClientServer mode or Aqua Enterprise as an active vulnerability scanner. If you skip this step, the operator will ensure configuration objects on startup with the default settings:

   kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.13.0/deploy/static/03-starboard-operator.config.yaml
   

   Review the default values and makes sure the operator is configured properly:

   kubectl describe cm starboard starboard-trivy-config starboard-polaris-config -n starboard-system
   

5. Install the operator by creating the Subscription:

   cat << EOF | kubectl apply -f -
   apiVersion: operators.coreos.com/v1alpha1
   kind: Subscription
   metadata:
     name: starboard-operator
     namespace: starboard-system
   spec:
     channel: alpha
     name: starboard-operator
     source: operatorhubio-catalog
     sourceNamespace: olm
     installPlanApproval: Automatic
     config:
       env:
       - name: OPERATOR_SCAN_JOB_TIMEOUT
         value: "60s"
       - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT
         value: "10"
       - name: OPERATOR_LOG_DEV_MODE
         value: "true"
   EOF
   

   The operator will be installed in the starboard-system namespace and will be usable from the default namespace. Note that the spec.config property allows you to override the default configuration of the operator's Deployment.

6. After install, watch the operator come up using the following command:

   $ kubectl get clusterserviceversions -n starboard-system
   NAME                        DISPLAY              VERSION   REPLACES                     PHASE
   starboard-operator.v0.13.0  Starboard Operator   0.13.0    starboard-operator.v0.12.0   Succeeded
   

   If the above command succeeds and the ClusterServiceVersion has transitioned from Installing to Succeeded phase you will also find the operator's Deployment in the same namespace where the Subscription is:

   $ kubectl get deployments -n starboard-system
   NAME                 READY   UP-TO-DATE   AVAILABLE   AGE
   starboard-operator   1/1     1            1           11m
   

   If for some reason it's not ready yet, check the logs of the Deployment for errors:

   kubectl logs deployment/starboard-operator -n starboard-system
   

Uninstall

To uninstall the operator delete the Subscription, the ClusterServiceVersion, and the OperatorGroup:

kubectl delete subscription starboard-operator -n starboard-system
kubectl delete clusterserviceversion starboard-operator.v0.13.0 -n starboard-system
kubectl delete operatorgroup starboard-operator -n starboard-system
kubectl delete ns starboard-system

You have to manually delete custom resource definitions created by the OLM operator:

Danger

Deleting custom resource definitions will also delete all security reports generated by the operator.

kubectl delete crd vulnerabilityreports.aquasecurity.github.io
kubectl delete crd configauditreports.aquasecurity.github.io
kubectl delete crd clusterconfigauditreports.aquasecurity.github.io
kubectl delete crd ciskubebenchreports.aquasecurity.github.io