CRD Scope

Overview

This page details the various methods to control the scope of a CRD. See the operator scope doc for information on configuring operator scope, such as which namespaces to watch.

Custom Resource Definitions (CRDs) contain a scope field that determines whether the resulting Custom Resource (CR) is cluster or namespace scoped. An operator author might use a namespaced-scoped CRD to restrict access to a CR to certain namespaces, or to have different versions of CRs accessible in different namespaces. Alternatively, an operator author might want a cluster-scoped CRD so all namespaces have visibility and access to CRs.

The CRD manifests are generated by the operator-sdk create api command in config/crd/bases. A CRD’s spec.scope field controls API scope; valid values are Cluster and Namespaced. For an Operator-sdk Go project, this value is determined by the operator-sdk create api --namespaced boolean flag, which edits the types.go file for the resource. For other operator types, the command edits spec.scope in the CRD’s YAML manifest directly.

Set create api –namespaced flag

When creating a new API, the --namespaced flag controls whether the resulting CRD will be cluster or namespace scoped. By default, --namespaced is set to true which sets the scope to Namespaced. An example command to create a cluster-scoped API would be:

$ operator-sdk create api --group cache --version v1alpha1 --kind Memcached --resource=true --controller=true --namespaced=false

Set Scope Marker in types.go

You can also manually set the scope in the Go types.go file by adding or changing the kubebuilder scope marker to your resource. This file is usually located in api/<version>/<kind>_types.go or apis/<group>/<version>/<kind>_types.go if you are using the multigroup layout. Once this marker is set, the CRD files will be generated with the approriate scope. Here is an example API type with the marker set to cluster scope:

//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
//+kubebuilder:resource:scope=Cluster

// Memcached is the Schema for the memcacheds API
type Memcached struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   MemcachedSpec   `json:"spec,omitempty"`
	Status MemcachedStatus `json:"status,omitempty"`
}

To set the scope to namespaced, the marker would be set to //+kubebuilder:resource:scope=Namespaced instead.

Set scope in CRD YAML file

The scope can be manually set directly in the CRD’s Kind YAML file, normally located in config/crd/bases/<group>.<domain>_<kind>.yaml. An example YAML file for a namespace-scoped CRD is shown below:

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.2.5
  creationTimestamp: null
  name: memcacheds.cache.example.com
spec:
  group: cache.example.com
  names:
    kind: Memcached
    listKind: MemcachedList
    plural: memcacheds
    singular: memcached
  scope: Namespaced
  subresources:
    status: {}
...   
Last modified April 21, 2022: Fix marker for kubebuilder (#5672) (df06f4ba)