circle-info
Webinar | Deploy MariaDB Cloud in Your Microsoft Azure Account. Retain Control.
Watch Nowarrow-up-right
search
Download MariaDBContact Us

OpenShift

This guide details installing the MariaDB Enterprise Kubernetes Operator on OpenShift, leveraging the Operator Lifecycle Manager, and configuring image pull credentials.

This documentation provides guidance on installing the MariaDB Enterprise Kubernetes Operator operator in OpenShift. This operator has been certified by Red Hatarrow-up-right and it is available in the OpenShift console.

Operators are deployed into OpenShift with the Operator Lifecycle Manager (OLM)arrow-up-right, which facilitates the installation, updates, and overall management of their lifecycle.

hashtag
Prerequisites

Configure your customer credentials as described in the documentation to be able to pull images.

The recommended way to configure credentials is to use the global pull secretarrow-up-right provided by OpenShift, as described in this section. Alternatively, the operator bundle has a mariadb-enterprise imagePullSecret configured by default. This means that you can configure a Secret named mariadb-enterprise in same namespace where the operator will be installed in order to pull images from the MariaDB Enterprise registry.

hashtag
PackageManifest

You can install the certified operator in OpenShift clusters that have the mariadb-enterprise-operator packagemanifest available. In order to check this, run the following command:

oc get packagemanifests -n openshift-marketplace mariadb-enterprise-operator

NAME                          CATALOG                 AGE
mariadb-enterprise-operator   Certified Operators     21h

hashtag
SecurityContextConstraints

Both the operator and the operand Pods run with the restricted-v2 SecurityContextConstraint, the most restrictive SCC in OpenShift in terms of container permissions. This implies that OpenShift automatically assigns a SecurityContext for the Pods with minimum permissions, for example:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  runAsNonRoot: true
  runAsUser: 1000650000
circle-exclamation

OpenShift does not assign SecurityContexts in the default and kube-system namespaces. Please refrain from deploying operands on them, as it will result in permission errors when trying to write to the filesystem.

You can read more about SecurityContextConstraints in the OpenShift documentationarrow-up-right.

hashtag
Installation in all namespaces

To install the operator watching resources on all namespaces, you need to create a Subscription object for mariadb-enterprise-operator using the stable channel in the openshift-operators namespace:

This will use the global-operators OperatorGroup that is created by default in the openshift-operators namespace. This OperatorGroup will watch all namespaces in the cluster, and the operator will be able to manage resources across all namespaces.

You can read more about OperatorGroups in the OpenShift documentationarrow-up-right.

hashtag
Installation in specific namespaces

In order to define which namespaces the operator will be watching, you need to create an OperatorGroup in the namespace where the operator will be installed:

This OperatorGroup will watch the namespaces defined in the targetNamespaces field. The operator will be able to manage resources only in these namespaces.

Then, the operator can be installed by creating a Subscription object in the same namespace as the OperatorGroup:

hashtag
Release channels

We maintain support across a variety of OpenShift channels to ensure compatibility with different release schedules and stability requirements. Below, you will find an overview of the specific OpenShift channels we support.

Channel
Supported OpenShift Versions
Description

stable

4.18, 4.16

Points to the latest stable version of the operator. This channel may span multiple major versions.

stable-v25.10

4.18, 4.16

v25.10.x is an LTS release. This channel points to the latest patch release of 25.10. Use this if you require version pinning to a stable version of the operator without necessarily looking for newer features.

An example Subscription would look like this:

hashtag
Updates

Updates are fully managed by OLM and controlled by the installPlanApproval field in the Subscription object. The default value is Automatic, which means that OLM will automatically update the operator to the latest version available in the channel. If you want to control the updates, you can set this field to Manual, and OLM will only update the operator when you approve the update.

hashtag
Uninstalling

The first step for uninstalling the operator is to delete the Subscription object. This will not remove the operator, but it will stop OLM from managing the operator:

After that, you can uninstall the ClusterServiceVersion (CSV) object that was created by OLM. This will remove the operator from the cluster:

hashtag
OpenShift console

As an alternative to create Subscription objects via the command line, you can install operators by using the OpenShift console. Go to the Operators > OperatorHub section and search by mariadb enterprise:

Select MariaDB Enterprise Kubernetes Operator, click on install, and you will be able to create a Subscription object via the UI.

Once deployed, the operator comes with example resources that can be deployed from the console directly. For instance, to create a MariaDB:

As you can see in the previous screenshot, the form view that the OpenShift console offers is limited, we recommend using the YAML view:

This page is: Copyright © 2025 MariaDB. All rights reserved.

spinner
PreviousHelmNextQuickstart

Last updated

Was this helpful?