An operator deployment must be configured to manage Kubernetes namespaces, and a number of Kubernetes resources must be present in a namespace before any WebLogic Server instances can be successfully started by operator. These Kubernetes resources are created either as part of the installation of the operator’s Helm chart, or are created by the operator.
An operator can manage all WebLogic domains in all namespaces in a Kubernetes cluster, or only manage domains in a specific subset of the namespaces, or manage only the domains that are located in the same namespace as the operator. You can change the namespaces that an operator deployment manages while the operator is still running. You can also create and prepare a namespace for the operator to manage while the operator is still running.
There can be multiple operators in a Kubernetes cluster, and in that case, you must ensure that the namespaces managed by these operators do not overlap. At most, a namespace can be managed by one operator.
An operator can manage domain resources in multiple namespaces, including its own namespace, but two operators cannot manage domains that are in the same namespace. The operator installation Helm chart domainNamespaceSelectionStrategy configuration setting controls which namespaces an operator manages.
Strategy | Description | Example |
---|---|---|
LabelSelector |
This is the default. The operator will manage namespaces with Kubernetes labels that match the label selector defined by your Helm chart configuration domainNamespaceLabelSelector attribute, which defaults to weblogic-operator=enabled . |
With the Helm chart defaults, the operator will manage namespaces that have a label named weblogic-operator when this label has the value enabled . You can label the namespace sample-domain1-ns using the command kubectl label namespace sample-domain1-ns weblogic-operator=enabled . You can define a different label selector for your operator installation using the domainNamespaceLabelSelector , such as --set "domainNamespaceLabelSelector=environment\=prod" . For detailed syntax requirements, see domainNamespaceLabelSelector in the Configuration Reference. |
RegExp |
The operator will manage namespaces that match the regular expression set by your domainNamespaceRegExp Helm chart configuration attribute. |
If you want an operator to manage namespaces that start with the string prod , then use --set "domainNamespaceSelectionStrategy=RegExp" for your operator Helm configuration setting, and set the domainNamespaceRegExp Helm chart configuration attribute using --set "domainNamespaceRegExp=^prod" . |
Dedicated |
The operator will manage only domains that are in the same namespace as the operator. | If the operator is deployed to namespace my-operator-ns and was installed using --set "domainNamespaceSelectionStrategy=Dedicated" in its Helm chart configuration, then the operator will manage only domains in the my-operator-ns namespace. Customers often choose this strategy if a third-party or infrastructure team manages the Kubernetes cluster and the team installing the operator, such as an applications team, will have privilege only within one namespace. For more details on this use case, see Local namespace only with cluster role binding disabled. |
List |
The operator will manage the namespaces included in the domainNamespaces operator installation Helm chart configuration value, which is a list that defaults to {default} . |
If you want to manage namespaces default and ns1 , then in your operator installation Helm chart configuration, use --set "domainNamespaceSelectionStrategy=List" and --set "domainNamespaces={default,ns1}" . |
For detailed reference information about each setting, see WebLogic domain management.
NOTES:
FAILED
Helm release and generate an error similar to
Error: release op2 failed: rolebindings.rbac.authorization.k8s.io "weblogic-operator-rolebinding-namespace" already exists
.If your operator Helm enableClusterRoleBinding
configuration value is true
, then
the operator has permission to manage any namespace and can automatically
manage a namespace that is added after the operator was last installed or upgraded.
If your operator Helm enableClusterRoleBinding
configuration value is false
, then:
The operator Helm chart will create RoleBindings in each namespace that matches
your domain namespace selection criteria during a call to helm install
or helm upgrade
.
These RoleBindings give the operator’s service account the necessary privileges in the namespace.
The Helm chart will only create these RoleBindings in namespaces that match the operator’s domain namespace selection criteria at the time the chart is installed or upgraded.
If you later create namespaces
that match a List
, LabelSelector
, or RegExp
selector,
then the operator will not have privilege in these namespaces until you upgrade the Helm release.
You can resolve this issue by performing
a helm upgrade
on an already installed operator Helm release.
For example, with an operator release name weblogic-operator
:
$ helm upgrade weblogic-operator/weblogic-operator --reuse-values
NOTE: If you still run into problems after you perform the helm upgrade
to re-initialize a namespace
that is deleted and recreated, then you can
try forcing the operator to restart.
For a detailed description of the operator’s security related resources, see the operator’s role-based access control (RBAC) requirements which are documented here.
Prior to version 3.1.0, the operator supported specifying the namespaces that it would manage only through a list. Now, the operator supports a list of namespaces, a label selector, or a regular expression matching namespace names.
When using a namespace list
For operators that specify namespaces by a list, you can find the list of the namespaces using the helm get values
command.
For example, the following command shows all the values of the operator release weblogic-operator
; the domainNamespaces
list contains default
and ns1
:
$ helm get values weblogic-operator
domainNamespaces:
- default
- ns1
elasticSearchHost: elasticsearch.default.svc.cluster.local
elasticSearchPort: 9200
elkIntegrationEnabled: false
externalDebugHttpPort: 30999
externalRestEnabled: false
externalRestHttpsPort: 31001
image: ghcr.io/oracle/weblogic-kubernetes-operator:4.2.13
imagePullPolicy: IfNotPresent
internalDebugHttpPort: 30999
javaLoggingLevel: INFO
logStashImage: logstash:6.6.0
remoteDebugNodePortEnabled: false
serviceAccount: default
suspendOnDebugStartup: false
If you don’t know the release name of the operator, you can use helm list
to list all the releases for a specified namespace or all namespaces:
$ helm list --namespace <namespace>
$ helm list --all-namespaces
When using a label selector
For operators that select namespaces with a selector, simply list namespaces using that selector:
$ kubectl get ns --selector="weblogic-operator=enabled"
You can see the labels on all namespaces by calling:
$ kubectl get ns --show-labels
When using regular expression matching
For operators that select namespaces with a regular expression matching the name, you can use a combination of kubectl
and any command-line tool that can process the regular expression, such as grep
:
$ kubectl get ns -o go-template='{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | grep "^weblogic"
This section describes the steps for adding, deleting, or recreated namespaces that are managed by a running operator.
The following are steps for adding namespaces that are managed by a running operator.
When using a namespace list
When the operator is configured to manage a list of namespaces and you want the operator to manage an additional namespace,
you need to add the namespace to the operator’s domainNamespaces
list. Note that this namespace has to already exist, for example,
using the kubectl create
command.
Adding a namespace to the domainNamespaces
list tells the operator to initialize the necessary
Kubernetes resources so that the operator is ready to manage WebLogic Server instances in that namespace.
When the operator is managing the default
namespace, the following example Helm command adds the namespace ns1
to the domainNamespaces
list, where weblogic-operator
is the release name of the operator:
$ helm upgrade \
weblogic-operator/weblogic-operator \
--reuse-values \
--set "domainNamespaces={default,ns1}" \
--wait
You can verify that the operator has initialized a namespace by confirming the existence of the required configmap
resource.
$ kubetctl get cm -n <namespace>
For example, the following example shows that the domain configmap
resource exists in the namespace ns1
.
$ kubectl get cm -n ns1
NAME DATA AGE
weblogic-scripts-cm 14 12m
When using a label selector or regular expression
For operators configured to select managed namespaces through the use of a label selector or regular expression, you need to create a namespace with the appropriate labels or with a name that matches the expression, respectively.
If your operator Helm enableClusterRoleBinding
configuration value is false
,
then a running operator will not have privilege to manage the newly added namespace until you upgrade
the operator’s Helm release.
See Ensuring the operator has permission to manage a namespace.
The following are steps for deleting namespaces that are managed by a running operator.
When using a namespace list
When the operator is configured to manage a list of namespaces and you no longer want a namespace to be managed by the operator, you need to:
domainNamespaces
list.While the operator is running and managing the default
and ns1
namespaces, the following example Helm
command removes the namespace ns1
from the domainNamespaces
list, where weblogic-operator
is the release
name of the operator:
$ helm upgrade \
weblogic-operator/weblogic-operator \
--reuse-values \
--set "domainNamespaces={default}" \
--wait
When using a label selector or regular expression
For operators configured to select managed namespaces through the use of a label selector or regular expression, you need to delete the namespace. For the label selector option, you can also adjust the labels on the namespace so that the namespace no longer matches the selector.
The following are steps for recreating previously deleted namespaces that are managed by a running operator.
When using a namespace list
If you deleted a namespace (and the resources in it) and then want to recreate it:
kubectl create
command.domainNamespaces
list using the helm upgrade
command illustrated previously.If a domain custom resource is created before the namespace is ready, you might see that the introspector job pod
fails to start, with a warning like the following, when you review the description of the introspector pod.
Note that domain1
is the name of the domain in the following example output.
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 1m default-scheduler Successfully assigned domain1-introspector-bz6rw to slc16ffk
Normal SuccessfulMountVolume 1m kubelet, slc16ffk MountVolume.SetUp succeeded for volume "weblogic-credentials-volume"
Normal SuccessfulMountVolume 1m kubelet, slc16ffk MountVolume.SetUp succeeded for volume "default-token-jzblm"
Warning FailedMount 27s (x8 over 1m) kubelet, slc16ffk MountVolume.SetUp failed for volume "weblogic-scripts-cm-volume" : configmaps "weblogic-scripts-cm" not found
If you still run into problems after you perform the helm upgrade
to re-initialize a namespace
that was deleted and recreated, then you can
try forcing the operator to restart.
When using a label selector or regular expression
If your operator Helm enableClusterRoleBinding
configuration value is false
,
then a running operator will not have privilege to manage the newly recreated namespace until you upgrade
the operator’s Helm release.
See Ensuring the operator has permission to manage a namespace.