KubeBlocks
BlogsKubeBlocks Cloud

Getting Started

Introduction
Supported addons
Installation

Concepts and Features

Concepts

Backup and Restore

Introduction

Backup

Configure BackupRepo
Configure BackupPolicy
Scheduled backup
On-demand backup

Restore

Restore from backup set
Point-in-Time Recovery

In Place Update

Introduction
Enable in-place update

Instance Template

Introduction
Apply instance template

Trouble Shooting

FAQs
Known Issues

References

API Reference

Cluster
Operations
Parameters
Dataprotection
Add-On
Terminology
Install Addons
Install kbcli
Snapshot Controller
Create a test Kubernetes cluster
Kubernetes and Operator 101
KubeBlocks Options and Roles

Upgrade KubeBlocks

Upgrade to v0.8
Upgrade to v0.9.0
Upgrade to v0.9.x

Release Notes

Release v1.0

v1.0.0-cn
v1.0.0

Release v0.9

v0.9.4
v0.9.3
v0.9.2
v0.9.1
v0.9.0
  1. KubeBlocks Options
    1. KubeBlocks Options
    2. Data Protection Options
    3. Backup Repository Options
    4. Addon Options
    5. Controller Options
    6. Feature Gates Options
  2. KubeBlocks Operator RBAC Permissions
    1. 1. Kubernetes Resource Permissions
      1. Core Cluster Permissions:
      2. Application Resource Permissions:
      3. Storage Related Permissions:
      4. RBAC Permissions:
      5. Coordination Mechanism Permissions:
      6. Authentication Proxy Permissions
    2. 2. KubeBlocks Custom Resource Permissions
    3. 3. Conditional Permissions

KubeBlocks Options and Roles

KubeBlocks Options

KubeBlocks Options

ParameterDescriptionDefault
image.registryKubeBlocks image repositoryapecloud-registry.cn-zhangjiakou.cr.aliyuncs.com
image.repositoryKubeBlocks image repositoryapecloud/kubeblocks
image.pullPolicyImage pull policyIfNotPresent
image.tagImage tag, default follows chart appVersion""
image.imagePullSecretsImage pull secrets[]
image.tools.repositoryTools image repositoryapecloud/kubeblocks-tools
replicaCountReplica count1
reconcileWorkersReconcile workers""

Data Protection Options

ParameterDescriptionDefault
dataProtection.enabledEnable data protection controllerstrue
dataProtection.leaderElectIdData protection leader election ID""
dataProtection.encryptionKeyBackup encryption key""
dataProtection.encryptionKeySecretKeyRef.nameEncryption key Secret name""
dataProtection.encryptionKeySecretKeyRef.keyEncryption key Secret key""
dataProtection.encryptionKeySecretKeyRef.skipValidationSkip key validationfalse
dataProtection.enableBackupEncryptionEnable backup encryptionfalse
dataProtection.backupEncryptionAlgorithmBackup encryption algorithm, choose one from "AES-128-CFB", "AES-192-CFB", "AES-256-CFB"""
dataProtection.gcFrequencySecondsGarbage collection frequency (seconds)3600
dataProtection.reconcileWorkersBackup controller concurrency""
dataProtection.image.registryData protection image repository""
dataProtection.image.repositoryData protection image repository
dataProtection.image.pullPolicyImage pull policyIfNotPresent
dataProtection.image.tagImage tag""
dataProtection.image.imagePullSecretsImage pull secrets[]
dataProtection.image.datasafed.repositoryDatasafed image repositoryapecloud/datasafed
dataProtection.image.datasafed.tagDatasafed image tag0.2.0

Backup Repository Options

ParameterDescriptionDefault
backupRepo.createCreates a backup repo during installationfalse
backupRepo.defaultSet the created repo as the defaulttrue
backupRepo.accessMethodThe access method for the backup repo, options: [Mount, Tool]Tool
backupRepo.storageProviderThe storage provider used by the repo, options: [s3, oss, minio]""
backupRepo.pvReclaimPolicyThe PV reclaim policy, options: [Retain, Delete]Retain
backupRepo.volumeCapacityThe capacity for creating PVC""
backupRepo.config.bucketStorage bucket""
backupRepo.config.endpointStorage endpoint""
backupRepo.config.regionStorage region""
backupRepo.secrets.accessKeyIdStorage secret key ID""
backupRepo.secrets.secretAccessKeyStorage secret key""

Addon Options

ParameterDescriptionDefault
addonController.enabledEnable Addon controller, requires cluster-admin ClusterRoletrue
addonController.jobTTLTime-to-live period for addon jobs (time.Duration format)5m
addonController.jobImagePullPolicyImage pull policy for addon install jobsIfNotPresent
keepAddonsKeep Addon CR objects when uninstalling charttrue
addonChartLocationBaseKubeBlocks official addon chart location base. For air-gapped environments, if URL has prefix "file://", KubeBlocks will use Helm charts copied from addonChartsImagefile://
addonChartsImage.registryAddon charts image registry (defaults to image.registry if not specified)""
addonChartsImage.repositoryAddon charts image repositoryapecloud/kubeblocks-charts
addonChartsImage.pullPolicyImage pull policyIfNotPresent
addonChartsImage.tagImage tag""
addonChartsImage.chartsPathHelm charts path in addon charts image/charts
addonChartsImage.pullSecretsImage pull secrets[]
addonHelmInstallOptionsAddon helm install options["--atomic", "--cleanup-on-fail", "--wait", "--insecure-skip-tls-verify"]
upgradeAddonsUpgrade addons when upgrading chart. Set to false to prevent addon CRs from being upgraded during chart upgradefalse
autoInstalledAddonsList of addons to auto-install during installation and upgrade["apecloud-mysql", "etcd", "kafka", "mongodb", "mysql", "postgresql", "qdrant", "redis", "rabbitmq"]

Controller Options

ParameterDescriptionDefault
controllers.apps.enabledEnable apps controllertrue
controllers.workloads.enabledEnable workloads controllertrue
controllers.operations.enabledEnable operations controllertrue
controllers.experimental.enabledEnable experimental controllerfalse
controllers.trace.enabledEnable trace controllerfalse

Feature Gates Options

ParameterDescriptionDefault
featureGates.inPlacePodVerticalScaling.enabledEnable in-place Pod vertical scalingfalse

To update the options, you can use the following command:

  1. Installation
helm install kubeblocks kubeblocks/kubeblocks \
  --namespace kb-system \
  --create-namespace \
  --version {{VERSION}} \
  --set optionName=optionValue
  1. Upgrade
helm upgrade kubeblocks kubeblocks/kubeblocks \
  --namespace kb-system \
  --version {{VERSION}} \
  --set optionName=optionValue
  1. Installation
kbcli kubeblocks install \
  --version={{VERSION}} \
  --create-namespace \
  --set optionName=optionValue
  1. Upgrade
kbcli kubeblocks upgrade \
  --version={{VERSION}} \
  --set optionName=optionValue

KubeBlocks Operator RBAC Permissions

KubeBlocks operator requires the following permissions to work properly.

1. Kubernetes Resource Permissions

Main permissions include:

Core Cluster Permissions:

  • Node: list, watch
  • Pod: create, delete, deletecollection, get, list, patch, update, watch, exec, log
  • Service: create, delete, deletecollection, get, list, patch, update, watch
  • ConfigMap: create, delete, deletecollection, get, list, patch, update, watch
  • Secret: create, delete, deletecollection, get, list, patch, update, watch
  • ServiceAccount: create, delete, get, list, patch, update, watch
  • PersistentVolumeClaim: create, delete, get, list, patch, update, watch
  • PersistentVolume: get, list, patch, update, watch
  • Event: create, get, list, patch, watch

Application Resource Permissions:

  • Deployment: get, list, watch
  • StatefulSet: create, delete, deletecollection, get, list, patch, update, watch
  • Job: create, delete, deletecollection, get, list, patch, update, watch
  • CronJob: create, delete, get, list, patch, update, watch

Storage Related Permissions:

  • StorageClass: create, delete, get, list, watch
  • CSIDriver: get, list, watch
  • VolumeSnapshot: create, delete, get, list, patch, update, watch
  • VolumeSnapshotClass: create, delete, get, list, patch, update, watch

RBAC Permissions:

  • Role: get, list, watch
  • RoleBinding: create, delete, get, list, patch, update, watch

Coordination Mechanism Permissions:

  • Lease: create, get, list, patch, update, watch

Authentication Proxy Permissions

  • TokenReview: create
  • SubjectAccessReview: create

2. KubeBlocks Custom Resource Permissions

  • apps.kubeblocks.io API Groups: ClusterDefinition, Cluster, ComponentDefinition, Component, ComponentVersion, Rollout, - ServiceDescriptor, ShardingDefinition, SidecarDefinition
  • dataprotection.kubeblocks.io API Groups: ActionSet, BackupPolicy, BackupPolicyTemplate, BackupRepo, Backup, BackupSchedule, - Restore, StorageProvider
  • operations.kubeblocks.io API Groups: OpsDefinition, OpsRequest
  • parameters.kubeblocks.io API Groups: ComponentParameter, ParamConfigRenderer, Parameter, ParameterDefinition
  • experimental.kubeblocks.io API Groups: NodeCountScaler
  • extensions.kubeblocks.io API Groups: Addon
  • trace.kubeblocks.io API Groups: ReconciliationTrace
  • workloads.kubeblocks.io API Groups: InstanceSet

3. Conditional Permissions

Data Protection Feature (dataProtection.enabled=true):

  • backup-related permissions

Webhook Conversion Feature (webhooks.conversionEnabled=true):

  • CustomResourceDefinition: create, get, list, patch, update, watch
  • Deployment: Additional deployment management permissions

Addon Controller (addonControllerEnabled=true):

  • cluster-admin: Full cluster administrator permissions
NOTE

Addon Controller requires cluster-admin ClusterRole. If you don't want to grant this permission, you can set addonController.enabled=false when installing KubeBlocks.

Once disabled, one can still install addons through the helm way install addons.

© 2025 ApeCloud PTE. Ltd.