Skip to content

SCONE Operator

The SCONE operator consists of

  • a controller manager, and
  • for each SCONE service and the SCONE policies,
  • a custom resource definition (CRD) of a custom resource (CR), and
  • a controller.

When the operator is deployed, its CRDs, controllers, and other Kubernetes objects are deployed, and the controller manager is started. The controller manager is running as a Kubernetes Deployment and deploys mutating and validating webhooks at start-up. Once they have started up, a custom resource of each kind can (CAS is optional) be deployed. This is made possible by the previous deployment of the corresponding CRDs.

Once a CR is created, deleted, or updated, the corresponding controller is notified, and reconciling the CR is started. To summarize, the reconciler, i.e., the controller, checks the current state of the CR, compares it to the desired state (i.e., its configuration), and takes the necessary action to change the current state into the desired state. This action either automatically (for example, if it was an update of the CR) or explicitly results in the reconciliation being triggered again. This process continues until the two states are equal.

Installing the Operator

We need to install a set of prerequisites to install the SCONE Operator. After the SCONE operator is up and running, each of the custom resources SGXPlugin, LAS, and CAS can be installed separately by deploying and creating a custom resource.

Kubernetes Config

The first step is to ensure you have access to your Kubernetes cluster.


We assume you can access your Kubernetes cluster through your $HOME/.kube/config file or the KUBECONFIG environment variable.


The cert-manager is a prerequisite of the SCONE operator. You can check if the cert-manager is installed using kubectl:

kubectl get pods -A | grep cert-manager

If no cert-manager pod is running, you can install cert-manager using kubectl or helm. Our recommendation, however, is to install the latest release using kubectl as follows:

kubectl apply -f

Please refer to the official installation instructions for up-to-date version information.

Alternatively, you can install it with the SCONE operator using helm: it can be installed using command line flags of the helm install command.

Operator Namespace

Now you are ready to deploy the SCONE operator using the image you just created. Deploying the operator can be done using helm. With helm, you can specify the desired namespace on the command line.

By default, we use the namespace scone-system. You can create the namespace by executing the following:

kubectl apply -f

Pull Secret

Pull Secret

Authorization is required to pull container images from private registries. You should create the Kubernetes secrets scone-operator-pull and sconeapps with the required credentials in the namespace scone-system.

The SCONE operator image is stored in a private Docker Hub repo. Hence, to deploy this image, one needs to pass the image pull credentials to Kubernetes. To do so, you must create the Kubernetes secret scone-operator-pull.

You could first define your credentials which include the generation of an access token to read_registry and set environment variables:

export SCONE_HUB_USERNAME=<your-name> # is your Docker username
export SCONE_HUB_ACCESS_TOKEN=<your-pword> # is your Docker password
export SCONE_HUB_EMAIL=<your-email> # is your Docker email

And then, create a Kubernetes secrets scone-operator-pull and sconeapps. In a simple setup, these secrets contain the same token. You need to define a secret per registry if you use multiple registries. Often one might use a different registry for the base SCONE images (Plugin, LAS, CAS) and the application images (e.g., MariaDB, Nginx, etc.)

kubectl create secret docker-registry scone-operator-pull \ \
   --docker-username=$SCONE_HUB_USERNAME \
   --docker-password=$SCONE_HUB_ACCESS_TOKEN \
   --docker-email=$SCONE_HUB_EMAIL \
   --namespace scone-system


kubectl create secret docker-registry sconeapps \ \
   --docker-username=$SCONE_HUB_USERNAME \
   --docker-password=$SCONE_HUB_ACCESS_TOKEN \
   --docker-email=$SCONE_HUB_EMAIL \
   --namespace scone-system

Deploy the SCONE Operator


You can find the up-to-date list of SCONE operator releases here: SCONE operator releases.

Now deploy your SCONE operator either using helm:

helm install scone-operator --namespace scone-system

Automatically injecting Pull Secrets

The SCONE images require defining a pull secret. This can be inconvenient since a user would need to add the correct pull secret in each namespace that needs access to one of these images. Since the operator already defines this pull secret, one can automate the distribution of this secret to other namespaces with the help of a secrets operator.

helm repo add banzaicloud-stable
helm install imps banzaicloud-stable/imagepullsecrets -n scone-system

Creating a secret injector for secret sconeapps, i.e., injecting into all namespaces that request this secret by copying form namespace scone-system:

kubectl apply -f

Using helm to install the cert-manager


cert-manager can be installed by adding the flag --set cert-manager.enabled=true to the above helm install command. However, care should be taken not to have more than one instance of cert-manager running in the same cluster since it also manages non-namespaced resources. You can customize where cert-manager is installed using the command line flag --set cert-manager.namespace=somenamespace and include the CRDs of the cert-manager in the installation using --set cert-manager.installCRDs=true. We recommend installing it as described above under Prerequisites and refer to the official cert-manager documentation for further information.

You can verify that the operator is running as it should using the following commands:

# Check the state of the deployment of the operator
kubectl get deployments -n scone-system scone-controller-manager
# Check the state of the pod of the deployment
kubectl get pods -n scone-system -l control-plane=controller-manager
# Check the log of the pod (use the name of the pod from the previous command)
export CONTROLLERPOD=$(kubectl get pods -n scone-system -l control-plane=controller-manager | grep scone-controller-manager | awk '{ print $1 }')
kubectl logs -n scone-system $CONTROLLERPOD

Default Images

The SCONE Operator uses the following default images:

Component Image Tag
SCONE Operator latest
CAS latest
LAS latest
SGXPlugin latest
CAS Backup Controller latest