Skip to content

S3 Operator

The bnerd-s3-operator is a Kubernetes operator that provisions S3-compatible object storage declaratively from within your cluster. Define a S3User custom resource and the operator handles the full lifecycle: creating an RGW user, applying a quota, and writing credentials to a Kubernetes Secret — no manual API calls required.

Use cases

  • Give each application in your cluster its own isolated S3 identity.
  • Automate credential rotation by deleting and re-creating a S3User.
  • Manage object storage alongside your workloads in the same GitOps workflow.

Prerequisites

The S3 Operator must be installed on your cluster by b'nerd. Contact support or your account manager to enable it. Once installed, the s3.bnerd.cloud API group is available in your cluster.

Custom resource: S3User

apiVersion: s3.bnerd.cloud/v1alpha1
kind: S3User
metadata:
  name: my-app-storage
  namespace: my-app
spec:
  projectRef: <your-project-uuid>
  quota:
    maxSizeKb: 10485760   # 10 GB — omit for platform default (500 GB)

The operator creates the corresponding RGW user via the b'nerd API and writes credentials to a Secret named <s3user-name>-credentials in the same namespace:

apiVersion: v1
kind: Secret
metadata:
  name: my-app-storage-credentials
  namespace: my-app
type: Opaque
data:
  AWS_ACCESS_KEY_ID: <base64>
  AWS_SECRET_ACCESS_KEY: <base64>
  AWS_ENDPOINT_URL: <base64>   # https://storage.muc1.de.bnerd.com
  AWS_REGION: <base64>         # de-muc1

Reference the secret in your application deployment:

envFrom:
  - secretRef:
      name: my-app-storage-credentials

Quota

The spec.quota.maxSizeKb field maps directly to the max_size_kb field in the Quota & Limits API. Omit the quota block to use the platform default (500 GB). Quota changes require platform-admin privileges in the b'nerd API; the operator holds the necessary credentials to apply them on your behalf.

No object count limit

The maxSizeKb field is the only configurable quota dimension. Object count limits are not exposed.

Deletion and data retention

Deleting a S3User resource triggers deletion of the underlying RGW user. The operator will not delete the user if it still has buckets — you must empty and delete all buckets first, or add purgeOnDelete: true to the spec:

spec:
  projectRef: <uuid>
  purgeOnDelete: true   # Irreversible — deletes all buckets and objects

When purgeOnDelete: true is set, the platform records an audit event before the purge runs (ISO 27001 / DSGVO requirement).

Status conditions

The operator sets standard Kubernetes conditions on the S3User resource:

Condition Meaning
Ready: True RGW user created and credentials written to Secret
Ready: False Provisioning failed — see message for details