Welcome to the upcoming version of the MinIO Documentation! The content of these pages may change at any time. If you can't find what you're looking for, check our legacy documentation. Thank you for your patience.

MinIO Kubernetes Operator

Overview

The MinIO Kubernetes Operator (“MinIO Operator”) brings native support for deploying and managing MinIO deployments (“MinIO Tenant”) on a Kubernetes cluster.

The MinIO Operator requires familiarity with interacting with a Kubernetes cluster, including but not limited to using the kubectl command line tool and interacting with Kubernetes YAML objects. Users who would prefer a more simplified experience should use the MinIO Kubernetes Plugin for deploying and managing MinIO Tenants.

The MinIO Kubernetes Operator v4.0.0 requires Kubernetes 1.17.0 or later:

Deploying the MinIO Operator

The following operations deploy the MinIO operator using kustomize templates. Users who would prefer a more simplified deployment experience that does not require familiarity with kustomize should use the MinIO Kubernetes Plugin for deploying and managing MinIO Tenants.

Use the following command to deploy the MinIO Operator using kubectl and kustomize templates:

kubectl apply -k github.com/minio/operator/\?ref\=|minio-operator-latest-version|

Use kustomize to deploy the MinIO Operator using kustomize templates:

kustomize build github.com/minio/operator/\?ref\=|minio-operator-latest-version| \
   > minio-operator-|minio-operator-latest-version|.yaml

MinIO Tenant Object

The following example Kubernetes object describes a MinIO Tenant with the following resources:

  • 4 minio server processes.

  • 4 Volumes per server.

  • 2 MinIO Console Service (MCS) processes.

apiVersion: minio.min.io/v1
kind: Tenant
metadata:
  creationTimestamp: null
  name: minio-tenant-1
  namespace: minio-tenant-1
scheduler:
  name: ""
spec:
  certConfig: {}
  console:
    consoleSecret:
      name: minio-tenant-1-console-secret
    image: minio/console:v0.3.14
    metadata:
      creationTimestamp: null
      name: minio-tenant-1
    replicas: 2
    resources: {}
  credsSecret:
    name: minio-tenant-1-creds-secret
  image: minio/minio:RELEASE.2020-09-26T03-44-56Z
  imagePullSecret: {}
  liveness:
    initialDelaySeconds: 10
    periodSeconds: 1
    timeoutSeconds: 1
  mountPath: /export
  requestAutoCert: true
  serviceName: minio-tenant-1-internal-service
  zones:
  - resources: {}
    servers: 4
    volumeClaimTemplate:
      apiVersion: v1
      kind: persistentvolumeclaims
      metadata:
        creationTimestamp: null
      spec:
        accessModes:
        - ReadWriteOnce
        storageClassName: local-storage
        resources:
          requests:
            storage: 10Gi
      status: {}
    volumesPerServer: 4

MinIO Operator YAML Reference

The MinIO Operator adds a CustomResourceDefinition that extends the Kubernetes Object API to support creating MinIO Tenant objects.

The following YAML block describes a MinIO Tenant object and its top-level fields.

apiVersion: minio.min.io/v1
kind: Tenant
metadata:
   name: minio
   namespace: <string>
   labels:
      app: minio
   annotations:
      prometheus.io/path: <string>
      prometheus.io/port: "<string>"
      prometheus.io/scrape: "<bool>"
spec:
   certConfig: <object>
   console: <object>
   credsSecret: <object>
   env: <object>
   externalCaCertSecret: <array>
   externalCertSecret: <array>
   externalClientCertSecret: <object>
   image: minio/minio:latest
   imagePullPolicy: IfNotPresent
   kes: <object>
   mountPath: <string>
   podManagementPolicy: <string>
   priorityClassName: <string>
   requestAutoCert: <boolean>
   securityContext: <object>
   pools: <array>
   serviceAccountName: <string>
   subPath: <string>

Minimum Required Fields

apiVersion: minio.min.io/v1
kind: Tenant
metadata:
   name: minio
   labels:
      app: minio
spec:
   pools :
      - servers : <int>
      volumeClaimTemplate:
         spec:
            accessModes: <string>
            resources:
               requests:
                  storage: <string>
      volumesPerServer: <int>

Core Fields

The following fields describe the core settings used to deploy a MinIO Tenant.

apiVersion: minio.min.io/v1
kind: Tenant
metadata:
   name: <string>
   namespace: <string>
   labels:
      app: minio
   annotations:
      - prometheus.io/path: <string>
      - prometheus.io/port: <string>
      - prometheus.io/scrape: <string>
spec:
   credsSecret: <object>
   env: <object>

   pools:
      - affinity: <object>
        name: <string>
        nodeSelector: <object>
        resources: <object>
        servers: <int>
        tolerations: <array>
        volumeClaimTemplate: <object>
        volumesPerServer: <integer>
apiVersion

Required

The API Version of the MinIO Tenant Object.

Specify minio.min.io/v1.

See the Kubernetes API reference on CustomResourceDefinition objects for more complete documentation on this field.

kind

Required

The REST resource the object represents. Specify Tenant.

See the Kubernetes API reference on CustomResourceDefinition objects for more complete documentation on this field.

metadata

The root field for describing metadata related to the Tenant object.

See the Kubernetes API reference on ObjectMeta objects for more complete documentation on this field.

metadata.name

Required

The name of the Tenant resource. The name must be unique within the target namespace.

See the Kubernetes API reference on ObjectMeta objects for more complete documentation on this field.

metadata.namespace

Required

The namespace in which Kubernetes deploys the Tenant resource. Omit to use the “Default” namespace. MinIO recommends creating a namespace for each MinIO Tenant deployed in the Kubernetes cluster.

metadata.labels

The Kubernetes labels to apply to the MinIO Tenant Object.

Specify at minimum the following key-value pair:

metadata:
   labels:
      app: minio
metadata.annotations

One or more Kubernetes annotations to associate with the MinIO Tenant Object.

MinIO Tenants support the following annotations:

  • prometheus.io/path: <string>

  • prometheus.io/port: <string>

  • prometheus.io/scrape: <bool>

spec

The root field for the MinIO Tenant Specification.

spec.credsSecret

The Kubernetes secret containing values to use for setting the MinIO access key and secret key. The MinIO Operator automatically generates the secret along with values for the access and secret key if this field is omitted.

Specify an object where the name field contains the name of the Kubernetes secret to use:

spec:
   credsSecret:
      name: minio-secret

The Kubernetes secret should contain the following values:

  • data.accesskey - the Access Key for each minio server in the Tenant.

  • data.secretkey - the Secret Key for each minio server in the Tenant.

spec.env

The environment variables available for use by the MinIO Tenant.

See the Kubernetes API reference on EnvVar objects for more complete documentation on this field.

spec.mountPath

Optional

The mount path for Persistent Volumes bound to minio pods in the MinIO Tenant.

Defaults to /export.

spec.s3

Optional

The S3-related features enabled on the MinIO Tenant.

Specify any of the following supported features as part of the s3 object:

  • bucketDNS: <boolean> - specify true to enable DNS lookup of buckets on the MinIO Tenant.

spec.subPath

Optional

The sub path appended to the spec.mountPath. The resulting full path is the directory in which MinIO stores data.

For example, given a mountPath of export and a subPath of minio, the full mount path is export/minio.

Defaults to empty ("").

spec.pools

Required

The configuration for each MinIO Pool deployed in the MinIO Tenant. A Pool consists of one or more minio servers which represent as single “block” of storage. Pools are independent of each other and support horizontal scaling of available storage resources in the MinIO Tenant.

Each element in the pools array is an object that must contain the following fields:

pools must have at least one element in the array.

spec.pools.affinity

Optional

The configuration for node affinity, pod affinity, and pod anti-affinity applied to each pod in the Pool.

See the Kubernetes API reference on Affinity for more complete documentation on this field.

spec.pools.name

Optional

The name of the MinIO Pool object.

The MinIO Operator automatically generates the Pool name if this field is omitted.

spec.pools.nodeSelector

Optional

The filter to apply when selecting which node or nodes on which to deploy each pod in the Pool. See the Kubernetes documentation on Assigning Pods to Nodes for more information.

See the Kubernetes API reference on NodeSelector objects for more complete documentation on this field.

spec.pools.resources

Optional

The resources each pod in the Pool requests.

See the Kubernetes API reference on ResourceRequirements objects for more complete documentation on this field.

spec.pools.servers

Required

The number of minio pods to deploy in the Zone.

The minimum number of servers is 2. MinIO recommends a minimum of 4 servers for optimal availability and distribution of data in the Pool.

spec.pools.tolerations

Optional

The Tolerations applied to pods deployed in the Pool.

spec.pools.volumeClaimTemplate

Required

The configuration template to apply to each Persistent Volume Claim (PVC) created as part of the Pool.

See spec.pools.volumeClaimTemplate for more complete documentation on the full specification of the volumeClaimTemplate object.

The MinIO Operator calculates the number of PVC to generate by multiplying spec.pools.volumesPerServer by spec.pools.servers.

spec.pools.volumesPerServer

Required

The number of Persistent Volume Claims (PVC) to create for each server in the Pool.

The total number of volumes in the Pool must be greater than 4. Specifically:

servers X volumesPerServer > 4

The MinIO Operator calculates the number of PVC to generate by multiplying spec.pools.volumesPerServer by spec.pools.servers.

Volume Claim Template

The following fields describe the template used to generate Persistent Volume Claims (PVC) for use in the MinIO Tenant.

spec:
   pools:
   - volumeClaimTemplate
        apiVersion: <string>
        kind: <string>
        metadata: <object>
        spec:
           accessModes: <array>
           dataSource: <object>
           resources: <object>
           selector: <object>
           storageClassName: <string>
           volumeMode: <string>
           volumeName: <string>
        status: <object>
spec.pools.volumeClaimTemplate

Required

The configuration template to apply to each Persistent Volume Claim (PVC) created as part of a Pool. The volumeClaimTemplate dictates which Persistent Volumes (PV) the generated PVC can bind to.

The volumeClaimTemplate requires at minimum the following fields:

The MinIO Operator calculates the number of PVC to generate by multiplying spec.pools.volumesPerServer by spec.pools.servers.

spec.pools.volumeClaimTemplate.apiVersion

Optional

The API Version of the volumeClaimTemplate.

Specify minio.min.io/v1.

spec.pools.volumeClaimTemplate.kind

Optional

The REST resource the object represents.

spec.pools.volumeClaimTemplate.metadata

Optional

The metadata for the volumeClaimTemplate.

See the Kubernetes API reference on ObjectMeta objects for more complete documentation on this field.

spec.pools.volumeClaimTemplate.spec

The specification applied to each Persistent Volume Claim (PVC) created using the volumeClaimTemplate.

See the Kubernetes API reference on PersistentVolumeClaimSpec for more complete documentation on this field.

spec.pools.volumeClaimTemplate.spec.accessModes

Required

The desired access mode for each Persistent Volume Claim (PVC) created using the volumeClaimTemplate.

See the Kubernetes API reference on PersistentVolumeClaimSpec for more complete documentation on this field.

spec.pools.volumeClaimTemplate.spec.dataSource

Optional

The data source to use for each Persistent Volume Claim (PVC) created using the volumeClaimTemplate.

See the Kubernetes API reference on PersistentVolumeClaimSpec for more complete documentation on this field.

spec.pools.volumeClaimTemplate.spec.resources

Required

The resources requested by each Persistent Volume Claim (PVC) created using the volumeClaimTemplate.

The resources object must include a requests.storage object:

spec:
   pools:
      - name: minio-server-set-1
        volumeClaimTemplate:
           spec:
              resources:
                 requests:
                    storage: <string>

The following table lists the supported units for the storage capacity.

Suffix

Unit Size

k

KB (Kilobyte, 1000 Bytes)

m

MB (Megabyte, 1000 Kilobytes)

g

GB (Gigabyte, 1000 Megabytes)

t

TB (Terrabyte, 1000 Gigabytes)

ki

KiB (Kibibyte, 1024 Bites)

mi

MiB (Mebibyte, 1024 Kibibytes)

gi

GiB (Gibibyte, 1024 Mebibytes)

ti

TiB (Tebibyte, 1024 Gibibytes)

See the Kubernetes API reference on PersistentVolumeClaimSpec for more complete documentation on this field.

spec.pools.volumeClaimTemplate.spec.selector

Optional

The selector logic to apply when querying available Persistent Volumes (PV) for binding to the Persistent Volume Claim (PVC).

See the Kubernetes API reference on PersistentVolumeClaimSpec for more complete documentation on this field.

spec.pools.volumeClaimTemplate.spec.storageClassName

Optional

The storage class to apply to each Persistent Volume Claim (PVC) created using the volumeClaimTemplate.

See the Kubernetes API reference on PersistentVolumeClaimSpec for more complete documentation on this field.

spec.pools.volumeClaimTemplate.spec.volumeMode

Optional

The type of Persistent Volume (PV) required by the claim. Defaults to Filesystem if omitted.

See the Kubernetes API reference on PersistentVolumeClaimSpec for more complete documentation on this field.

spec.pools.volumeClaimTemplate.spec.volumeName

Optional

The name to apply to each Persistent Volume Claim (PVC) created using the volumeClaimTemplate.

MinIO Docker Image

The following fields describe the Docker settings used by the MinIO Tenant.

spec:
   image: <string>
   imagePullPolicy: <string>
   imagePullSecret: <string>
spec.image

The Docker image to use for the minio server process.

Defaults to the latest stable release of minio:minio if omitted.

spec.imagePullPolicy

The Docker pull policy to use for the specified spec.image.

Specify one of the following values:

  • Always - Always pull the image.

  • Never - Never pull the image.

  • IfNotPresent - Pull the image if not already present.

Defaults to IfNotPresent if omitted.

spec.imagePullSecret

The secret to use for pulling images from private Docker repositories.

Transport Layer Encryption (TLS)

The following fields describe the Transport Layer Encryption (TLS) settings of a MinIO Tenant, including automatic TLS certificate generation.

spec:
   requestAutoCert: <boolean>
   certConfig:
      commonName: <string>
      dnsNames: <array>
      organizationName: <array>
      externalCaCertSecret:
         - name: <string>
           type: kubernetes.io/tls
      externalCertSecret:
         - name: <string>
           type: kubernetes.io/tls
      externalClientCertSecret:
         name: <string>
         type: kubernetes.io/tls
spec.requestAutoCert

Optional

Enables or disables automatic generation of self-signed x.509 certificates for supporting TLS on pods and services in the MinIO Tenant.

  • Specify true to enable (Default).

  • Specify false to disable.

Certificates generated as part of requestAutoCert are always self-signed. Use externalCertSecret to specify custom x.509 certificates for use by the MinIO Tenant, such as certificates signed by a trusted Certificate Authority (CA).

  • Use the externalCertSecret field to specify custom x.509 certificates for use by pods and services in the MinIO Tenant.

  • Use the externalCaCertSecret field to specify Certificate Authorities (CA) for the MinIO Tenant to use when verifying the x.509 certificates presented by a client.

See the Kubernetes documentation on Manage TLS Certificates in a Cluster for more information on certificate generation in Kubernetes clusters.

spec.certConfig

Optional

The configuration settings to use when auto-generating x.509 certificates for TLS encryption.

Omit to allow the MinIO Operator to generate required fields in each auto-generate x.509 certificates.

If spec.requestAutoCert is false or omitted, this field has no effect.

spec.certConfig.commonName

Optional

The x.509 Common Name to use when generating x.509 certificates for TLS encryption. Use wildcard patterns when constructing the commonName to ensure the generated certificates match the Kubernetes-generated DNS names of Tenant resources. See the Kubernetes documentation on DNS for Services and Pods for more information on Kubernetes DNS.

If spec.requestAutoCert is false or omitted, this field has no effect.

spec.certConfig.dnsNames

Optional

The DNS names to use when generating x.509 certificates for TLS encryption.

If spec.requestAutoCert is false or omitted, this field has no effect.

spec.certConfig.organizationName

Optional

The x.509 Organization Name to use when generating x.509 certificates for TLS encryption.

If spec.requestAutoCert is false or omitted, this field has no effect.

spec.externalCaCertSecret

Optional

One or more Kubernetes secrets containing Certificate Authority (CA) certificates used by MinIO for validating the TLS certificate presented by external services. Required if using MinIO integrations where the service TLS certificates are signed by an unknown CA.

Specify an array where each element contains the following fields:

  • names specifies the name of the Kubernetes secret, and

  • types specifies kubernetes.io/tls

spec:
   externalCaCertSecret:
      - name: tenant-external-client-cert-secret-name
        type: kubernetes.io/tls
spec.externalCertSecret

Optional

One or more Kubernetes secrets that contain custom TLS certificate and private key pairs. The Operator uses these certificates when configuring Pod TLS and for enabling TLS with SNI support on each pod. Specifically, MinIO copies all specified certificates to each pod and service in the cluster. When the pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching subjectAlternativeName.

Specify an array where each element contains the following fields:

  • names specifies the name of the Kubernetes secret, and

  • types specifies kubernetes.io/tls

Use wildcard patterns when constructing the DNS-related fields to ensure the generated certificates match the Kubernetes-generated DNS names of Tenant resources. See the Kubernetes documentation on DNS for Services and Pods for more information on Kubernetes DNS.

spec:
   externalCertSecret:
      - name: tenant-external-cert-secret-name
        type: kubernetes.io/tls
  • If requestAutoCert is enabled, each pod/service has both auto-generated TLS certificates and custom certificates.

  • If requestAutoCert is disabled, any pod/service whose hostname does not match a custom certificate cannot make TLS connections. This may result in connectivity errors. Consider specifying at least one certificate with a wildcard pattern applicable to any pod or service in the Tenant.

spec.externalClientCertSecret

Optional

A Kubernetes secret containing a custom Certificate Authority certificate and private key used by MinIO pods for performing mutual TLS (mTLS) authentication to a KES service. The specified certificate and private key must correspond to an identity on the KES server. For example, specify the certificate and private key that correspond to the root identity of the spec.kes.kesSecret configuration.

Specify an object containing the following fields:

  • names - The name of the Kubernetes secret

  • types - Set to kubernetes.io/tls

If the specified certificate does not correspond to an identity on the KES server, or if the identity does not have the required policies for performing operations on the KES server, the MinIO pods may encounter unexpected behavior or errors when attempting to perform KES-related operations such as Server-Side Encryption (SSE-S3).

MinIO Console Service

The following fields describe the settings for deploying the MinIO Console in the MinIO Tenant.

spec:
   console:
      annotations: <object>
      consoleSecret:
         name: <string>
      env: <array>
      externalCaCertSecret:
         - name: <string>
           type: kubernetes.io/tls
      externalCertSecret:
         name: <string>
         type: kubernetes.io/tls
      image: <string>
      imagePullPolicy: <string>
      labels: <object>
      nodeSelector: <object>
      replicas: <int>
      resources: <object>
      serviceAccountName: <string>
spec.console

Optional

The root field for describing MinIO Console-related configuration information.

Omit to deploy the MinIO Tenant without an attached Console service.

spec.console.consoleSecret

Required if specifying spec.console.

The Kubernetes Secret object that contains all environment variables required by the MinIO Console. Specify the name of the secret as a subfield:

spec:
   console:
      consoleSecret:
         name: console-secret-name
spec.console.annotations

Optional

One or more Kubernetes annotations to associate with the MinIO Console object.

spec.console.env

Optional

The environment variables available for use by the MinIO Console.

See the Kubernetes API reference on EnvVar objects for more complete documentation on this field.

spec.console.externalCaCertSecret

Optional

One or more Kubernetes secrets containing Certificate Authority (CA) certificates used by MinIO Console for validating TLS connections from connecting clients.

The MinIO Console rejects connections from clients specifying untrusted x.509 certificates by default.

Specify an array where each element contains the following fields:

  • names specifies the name of the Kubernetes secret, and

  • types specifies kubernetes.io/tls

spec.console.externalCertSecret

Optional

One or more Kubernetes secrets that contain custom TLS certificate and private key pairs. The Operator uses these certificates when configuring MinIO Console Pod TLS and for enabling TLS with SNI support on each pod. Specifically, MinIO copies all specified certificates to each Console pod and service in the cluster. When the pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching subjectAlternativeName.

Specify an array where each element contains the following fields:

  • names specifies the name of the Kubernetes secret, and

  • types specifies kubernetes.io/tls

Use wildcard patterns when constructing the DNS-related fields to ensure the generated certificates match the Kubernetes-generated DNS names of Tenant resources. See the Kubernetes documentation on DNS for Services and Pods for more information on Kubernetes DNS.

spec:
   console:
      externalCertSecret:
         name: console-external-secret-cert-name
         type: kubernetes.io/tls
  • If requestAutoCert is enabled, each pod/service has both auto-generated TLS certificates and custom certificates.

  • If requestAutoCert is disabled, any pod/service whose hostname does not match a custom certificate cannot make TLS connections. This may result in connectivity errors. Consider specifying at least one certificate with a wildcard pattern applicable to any pod or service in the Tenant.

spec:
   externalCaCertSecret:
      - name: tenant-external-client-cert-secret-name
        type: kubernetes.io/tls
spec.console.image

Optional

The name of the Docker image to use for deploying the MinIO Console.

Defaults to the latest release of MinIO Console.

spec.console.imagePullPolicy

Optional

The pull policy for the Docker image. Defaults to IfNotPresent.

spec.console.labels

Optional

The Kubernetes labels to apply to the MinIO Console object.

spec.console.nodeSelector

Optional

The filter to apply when selecting which node or nodes on which to deploy the MinIO Console. See the Kubernetes documentation on Assigning Pods to Nodes for more information.

See the Kubernetes API reference on NodeSelector objects for more complete documentation on this field.

spec.console.replicas

Optional

The number of MinIO Console pods to create in the cluster.

spec.console.resources

Optional

The resources each MinIO Console object requests.

See the Kubernetes API reference on ResourceRequirements objects for more complete documentation on this field.

spec.console.serviceAccountName

Optional

The name of the Service Account used to run all MinIO Console pods created as part of the Tenant.

MinIO Key Encryption Service

The following fields describe the settings for deploying the MinIO Key Encryption Service (KES) in the MinIO Tenant.

spec:
   kes:
      annotations: <object>
      labels: <object>
      clientCertSecret: <object>
         name: <string>
         type: kubernetes.io/tls
      externalCertSecret: <object>
         name: <string>
         type: kubernetes.io/tls
      image: <string>
      imagePullPolicy: <string>
      kesSecret: <string>
      nodeSelector: <object>
      replicas: <integer>
      serviceAccountName: <string>
spec.kes

Optional

The root field for describing MinIO Key Encryption Service-related configuration information.

Omit to deploy the MinIO Tenant without an attached KES service.

spec.clientCertSecret: <object>

Optional

The Certificate Authority and x.509 private key/public key to use for performing mutual TLS (mTLS) to supported Key Management Services.

spec.kes.kesSecret

Required if specifying spec.kes.

The Kubernetes Secret object that contains all environment variables required by the MinIO KES. Specify the name of the secret as a subfield:

spec:
   kes:
      kesSecret:
         name: kes-secret-name

The secret contents should resemble the following:

apiVersion: v1
kind: Secret
metadata: kes-config
type: opaque
stringData:
   server-config.yaml: |-
     # KES Configuration Options

The MinIO Operator Github repository contains an example kes-secret.yaml for reference. For more complete documentation on the KES configuration file, see KES Config File.

spec.kes.annotations

Optional

One or more Kubernetes annotations to associate with the MinIO KES object.

spec.kes.env

Optional

The environment variables available for use by the MinIO KES.

See the Kubernetes API reference on EnvVar objects for more complete documentation on this field.

spec.kes.externalCertSecret

Optional

The name of the Kubernetes secret containing the custom Certificate Authority certificate and private key to use for configuring TLS on the KES object. Specify an object where names specifies the name of the secret and types specifies kubernetes.io/tls:

spec:
   kes:
      externalCertSecret:
         name: kes-external-secret-cert-name
         type: kubernetes.io/tls
spec.kes.image

Optional

The name of the Docker image to use for deploying MinIO KES.

Defaults to the latest release of MinIO KES.

spec.kes.imagePullPolicy

Optional

The pull policy for the Docker image. Defaults to IfNotPresent.

spec.kes.labels

Optional

The Kubernetes labels to apply to the MinIO KES object.

spec.kes.nodeSelector

Optional

The filter to apply when selecting which node or nodes on which to deploy MinIO KES. See the Kubernetes documentation on Assigning Pods to Nodes for more information.

See the Kubernetes API reference on NodeSelector objects for more complete documentation on this field.

spec.kes.replicas

Optional

The number of MinIO Console pods to create in the cluster.

spec.kes.serviceAccountName

Optional

The name of the Service Account used to run all MinIO KES pods created as part of the Tenant.

Pod Security, Scheduling, and Management

The following fields describe the settings for Pod Security, Pod Scheduling, and Pod Management in the MinIO Tenant.

spec:
   securityContext: <object>
   serviceAccountName: <string>
   podManagementPolicy: <object>
   priorityClassName: <string>
spec.securityContext

Optional

Root field for configuring the Security Context of pods created as part of the MinIO Tenant.

The MinIO Operator supports the following PodSecurityContext fields:

  • fsGroup

  • fsGroupChangePolicy

  • runAsGroup

  • runAsNonRoot

  • runAsUser

  • seLinuxOptions

See the Kubernetes API reference on PodSecurityContext for more complete documentation on this field.

spec.serviceAccountName

Optional

The name of the Service Account used to run all MinIO server minio pods created as part of the Tenant.

spec.podManagementPolicy

Optional

The Pod Management Policy used for pods created as part of the MinIO Tenant.

See the Kubernetes API reference on StatefulSetSpec for more complete documentation on this field.

spec.priorityClassName

Optional

The Pod Priority Class to apply to pods created as part of the MinIO Tenant.

See the Kubernetes API reference on PodSpec for more complete documentation on this field.