Operator Lifecycle Manager¶
The Operator Lifecycle Manager (OLM) provides a declarative way to install and upgrade operators and their dependencies.
You can install the Starboard operator from OperatorHub.io or ArtifactHUB by creating the OperatorGroup, which defines the operator's multitenancy, and Subscription that links everything together to run the operator's pod.
As an example, let's install the operator from the OperatorHub catalog in the starboard-system
namespace and
configure it to watch the default
namespaces:
- Install the Operator Lifecycle Manager:
or
curl -L https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.18.3/install.sh -o install.sh chmod +x install.sh ./install.sh v0.18.3
kubectl apply -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.18.3/crds.yaml kubectl apply -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.18.3/olm.yaml
- Create the namespace to install the operator in:
kubectl create ns starboard-system
- Declare
default
as the target namespace by creating the OperatorGroup:cat << EOF | kubectl apply -f - apiVersion: operators.coreos.com/v1alpha2 kind: OperatorGroup metadata: name: starboard-operator namespace: starboard-system spec: targetNamespaces: - default EOF
- (Optional) Configure Starboard by creating the
starboard
ConfigMap and thestarboard
secret in thestarboard-system
namespace. For example, you can use Trivy in ClientServer mode or Aqua Enterprise as an active vulnerability scanner. If you skip this step, the operator will ensure configuration objects on startup with the default settings:Review the default values and makes sure the operator is configured properly:kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/v0.14.0/deploy/static/03-starboard-operator.config.yaml
kubectl describe cm starboard starboard-trivy-config starboard-polaris-config -n starboard-system
-
Install the operator by creating the Subscription:
The operator will be installed in thecat << EOF | kubectl apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: starboard-operator namespace: starboard-system spec: channel: alpha name: starboard-operator source: operatorhubio-catalog sourceNamespace: olm installPlanApproval: Automatic config: env: - name: OPERATOR_SCAN_JOB_TIMEOUT value: "60s" - name: OPERATOR_CONCURRENT_SCAN_JOBS_LIMIT value: "10" - name: OPERATOR_LOG_DEV_MODE value: "true" EOF
starboard-system
namespace and will be usable from thedefault
namespace. Note that thespec.config
property allows you to override the default configuration of the operator's Deployment. -
After install, watch the operator come up using the following command:
If the above command succeeds and the ClusterServiceVersion has transitioned from$ kubectl get clusterserviceversions -n starboard-system NAME DISPLAY VERSION REPLACES PHASE starboard-operator.v0.14.0 Starboard Operator 0.14.0 starboard-operator.v0.13.2 Succeeded
Installing
toSucceeded
phase you will also find the operator's Deployment in the same namespace where the Subscription is:If for some reason it's not ready yet, check the logs of the Deployment for errors:$ kubectl get deployments -n starboard-system NAME READY UP-TO-DATE AVAILABLE AGE starboard-operator 1/1 1 1 11m
kubectl logs deployment/starboard-operator -n starboard-system
Uninstall¶
To uninstall the operator delete the Subscription, the ClusterServiceVersion, and the OperatorGroup:
kubectl delete subscription starboard-operator -n starboard-system
kubectl delete clusterserviceversion starboard-operator.v0.14.0 -n starboard-system
kubectl delete operatorgroup starboard-operator -n starboard-system
kubectl delete ns starboard-system
You have to manually delete custom resource definitions created by the OLM operator:
Danger
Deleting custom resource definitions will also delete all security reports generated by the operator.
kubectl delete crd vulnerabilityreports.aquasecurity.github.io
kubectl delete crd configauditreports.aquasecurity.github.io
kubectl delete crd clusterconfigauditreports.aquasecurity.github.io
kubectl delete crd ciskubebenchreports.aquasecurity.github.io