Multi-namespace examples

YAML examples for deploying Redis Enterprise across multiple Kubernetes namespaces.

Redis Enterprise for Kubernetes

Multi-namespace deployment lets a single Redis Enterprise operator manage clusters and databases in different namespaces, providing better resource isolation and organization.

Multi-namespace deployment enables:

  • Namespace isolation: Separate Redis Enterprise resources by team, environment, or application
  • Centralized management: Single operator manages multiple namespaces
  • Resource sharing: Efficient use of cluster resources across namespaces
  • Flexible RBAC: Fine-grained permissions per namespace

This example shows:

  • Operator namespace: redis-enterprise-operator (where the operator and REC run)
  • Consumer namespaces: app-production, app-staging (where REDB resources are created)

For complete deployment instructions, see Manage databases in multiple namespaces.

Operator service account

Deploy these resources in the namespace where the Redis Enterprise operator runs.

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: redis-enterprise
  name: redis-enterprise-operator

Operator cluster role

Grant the operator cluster-wide permissions to manage resources across namespaces.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: redis-enterprise-operator-consumer-ns
  labels:
    app: redis-enterprise
rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["list", "watch"]

Operator cluster role binding 

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: redis-enterprise-operator-consumer-ns
  labels:
    app: redis-enterprise
subjects:
- kind: ServiceAccount
  name: redis-enterprise-operator
  namespace: NAMESPACE_OF_SERVICE_ACCOUNT
roleRef:
  kind: ClusterRole
  name: redis-enterprise-operator-consumer-ns
  apiGroup: rbac.authorization.k8s.io

Consumer role 

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: redb-role
  labels:
    app: redis-enterprise
rules:
  - apiGroups:
      - app.redislabs.com
    resources: ["redisenterprisedatabases",
                "redisenterprisedatabases/status",
                "redisenterprisedatabases/finalizers",
                "redisenterpriseactiveactivedatabases",
                "redisenterpriseactiveactivedatabases/status",
                "redisenterpriseactiveactivedatabases/finalizers"]
    verbs: ["delete", "get", "list", "patch", "create", "update", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["update", "get", "watch", "create", "patch", "list"]
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "patch"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "update", "patch", "create", "delete", "watch"]

Consumer role binding 

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: redb-role
  labels:
    app: redis-enterprise
subjects:
- kind: ServiceAccount
  name: redis-enterprise-operator
  namespace: NAMESPACE_OF_SERVICE_ACCOUNT
- kind: ServiceAccount
  name: NAME_OF_REC_SERVICE_ACCOUNT  # service account of the REC, usually the same as the name of the custom resource
  namespace: NAMESPACE_OF_SERVICE_ACCOUNT
roleRef:
  kind: Role
  name: redb-role
  apiGroup: rbac.authorization.k8s.io

Consumer namespace configuration:

  • subjects.name: Must match the operator service account name
  • subjects.namespace: Must be the operator namespace, not the consumer namespace
  • roleRef.name: Must match the consumer role name

Next steps

RATE THIS PAGE
Back to top ↑