Kestra Kubernetes Operator – GitOps for Flows and Resources
How to use the Kestra Kubernetes Operator to provision and manage changes to Kestra resources, including flows, namespace files, and key-value store entries.
Manage Kestra with the Kubernetes Operator
When you deploy flows through GitOps or CI/CD (including the operator), add the system.readOnly label set to "true" so the UI editor is disabled and production configurations stay immutable. This is especially recommended for critical production flows:
labels: system.readOnly: trueThis feature requires the Enterprise Edition.
A Kubernetes operator is an application-specific controller that extends the functionality of the Kubernetes API to create, configure, and manage instances of applications or their components on behalf of a Kubernetes user. It is a custom Kubernetes controller that uses custom resources (CR).
To define and manage these components, operators leverage Custom Resource Definitions (CRDs). CRDs allow you to extend the Kubernetes API with new resource types that are specific to your application or service.
The Kestra Kubernetes Operator manages Kestra flows, namespace files, and key-value store entries as Kubernetes resources.
Installing the Kestra Kubernetes Operator
We provide a Helm chart to install Kestra in Kubernetes; see the installation guide. The Kestra Operator can be installed with the kestra-operator chart. To install the chart with the release name my-kestra-operator use:
$ helm repo add kestra https://helm.kestra.io/$ helm install my-kestra-operator kestra/kestra-operator --version 1.0.0This chart can also deploy the Kestra Kubernetes Operator in your cluster.
The operator automatically creates and updates Kestra CRDs, so it requires Kubernetes RBAC (service account plus cluster-wide roles) that the Helm chart provisions for you. Contact us if you have concerns or run into issues applying it to your cluster.
Because the operator calls the Kestra API, you must provide credentials — either a service account or an API token—if authentication is enabled.
To install the Kestra Kubernetes Operator inside your cluster, you need to configure the following properties in your Helm values:
operator: enabled: true apiKey: <your-kestra-api-token>If you prefer to use a service account, please configure the following properties instead:
operator: enabled: true basicAuth: <username:password>Then run helm install or helm upgrade to roll out the changes to your cluster.
If everything goes well, you will see a kestra-operator pod running.
kubectl get poNAME READY STATUS RESTARTS AGEkestra-operator-7d7bdbd846-pzpl2 1/1 Running 0 158mkestra-postgresql-0 1/1 Running 1 (2d23h ago) 3dkestra-standalone-677474499f-4r5ft 1/1 Running 2 (5h10m ago) 2d23hManaging multiple operators in one cluster
Each operator instance manages a single Kestra instance. If you run multiple Kestra deployments in the same Kubernetes cluster, deploy one operator per Kestra instance and scope each operator to the namespaces that will contain that instance’s custom resources.
Configure the namespace watch list via quarkus.operator-sdk.namespaces (Helm chart values) or the QUARKUS_OPERATOR_SDK_NAMESPACES environment variable. Example snippets:
quarkus: operator-sdk: namespaces: - kestra-dev - kestra-prodkestraOperator: env: - name: QUARKUS_OPERATOR_SDK_NAMESPACES value: "kestra-dev,kestra-prod"Deploying separate operator releases with different namespace lists ensures each instance reconciles only its own KestraFlow, KestraKeyValue, and KestraNamespaceFile resources.
Manage Kestra resources via the operator
The Kestra Kubernetes operator watches for three resource types in all namespaces:
KestraFlow, shortname flow. To manage flows.KestraKeyValue, shortnames keyvalue or kv. To manage K/V store entries.KestraNamespaceFile, shortnames namespacefile or nsfile. To manage Namespace files.
Managing Flow resources
Here is an example flow resource that you can create in a hello-world.yml file:
apiVersion: model.kestra.io/v1alpha1kind: KestraFlowmetadata: name: hello-worldspec: id: hello-world namespace: company.team # This is a Kestra namespace, not a Kubernetes namespace source: | id: hello-world namespace: company.team tasks: - id: hello type: io.kestra.core.tasks.log.LogNote: set the flow id and namespace both in the resource spec and inside the flow source so updates are applied correctly.
You can then use standard kubectl commands to create, update, list, and delete your flows:
## Create or update the flowkubectl apply hello-world.yml
## List all flowskubectl get flow
## Get the 'hello-world' flowkubectl get flow hello-world
## Delete the 'hello-world' flowkubectl delete flow hello-worldManaging K/V entry resources
Here is an example key-value entry resource that you can create in a kv-1.yml file:
apiVersion: model.kestra.io/v1alpha1kind: KestraKeyValuemetadata: name: kv-1spec: namespace: company.team # This is a Kestra namespace, not a Kubernetes namespace key: key1 value: value1Use the same kubectl workflow to create, update, list, and delete your entries:
## Create or update the k/v entrykubectl apply kv-1.yml
## List all entrieskubectl get kv
## Get the 'kv-1' k/v entrieskubectl get kv kv-1
## Delete the 'kv-1' k/v entrykubectl delete kv kv-1Managing Namespace File resources
Here is an example namespace file resource that you can create in an nsfile-1.yml file:
apiVersion: model.kestra.io/v1alpha1kind: KestraNamespaceFilemetadata: name: nsfile-1spec: namespace: company.team # This is a Kestra namespace, not a Kubernetes namespace filename: nsfile-1.txt content: Hello WorldYou can then use the standard kubectl commands to create, update, list and delete your namespace files:
## Create or update the namespace filekubectl apply nsfile-1.yml
## List all namespace fileskubectl get nsfile
## Get the 'nsfile-1' namespace filekubectl get nsfile nsfile-1
## Delete the 'nsfile-1' namespace filekubectl delete nsfile nsfile-1Was this page helpful?