ServiceAccount `mongodb-kubernetes-appdb` missing when deploying `MongoDBCommunity`

[bitfisher]

What did you do to encounter the bug?
Steps to reproduce the behavior:

1. Install operator
2. Deploy MongoDBCommunity with

apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
  name: sample-mongodb
  namespace: mas-test
  annotations:
    mongodb.com/v1.architecture: "static"
spec:
  type: ReplicaSet
  members: 1
  arbiters: 0
  version: "7.0.24"
  featureCompatibilityVersion: "7.0"
  statefulSet:
    spec:
      template:
        spec:
          containers:
          - name: mongod
            resources:
              requests:
                cpu: 100m
                memory: 256Mi
              limits:
                cpu: 1000m
                memory: 512Mi
          - name: mongodb-agent
            resources:
              requests:
                cpu: 100m
                memory: 128Mi
              limits:
                cpu: 1000m
                memory: 512Mi
          initContainers:
          - name: mongodb-agent-readinessprobe
            resources:
              requests:
                cpu: 100m
                memory: 128Mi
              limits:
                cpu: 1000m
                memory: 512Mi
          - name: mongod-posthook
            resources:
              requests:
                cpu: 100m
                memory: 256Mi
              limits:
                cpu: 1000m
                memory: 512Mi
      volumeClaimTemplates:
      - metadata:
          name: data-volume
        spec:
          resources:
            requests:
              storage: 1Gi
      - metadata:
          name: logs-volume
        spec:
          resources:
            requests:
              storage: 0Mi
  security:
    authentication:
      modes: ["SCRAM"]
  users:
    - name: sample
      db: SampleDB
      scramCredentialsSecretName: sample
      passwordSecretRef:
        name: sample-mongodb
      roles:
        - name: dbOwner
          db: SampleDB
  agent:
    logFile: /dev/stdout
---

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: sample-mongodb
  namespace: mas-test
data:
  password: c2FtcGxl

No pod is created due to missing ServiceAccount mongodb-kubernetes-appdb.

What did you expect?
ServiceAccount mongodb-kubernetes-appdb created and Pod starting up.

What happened instead?
StatefulSet keeps in progressing state and is never starting up.

Screenshots
kubectl describe sts sample-mongodb:

Name:               sample-mongodb
Namespace:          mas-test
CreationTimestamp:  Thu, 02 Oct 2025 08:27:09 +0200
Selector:           app=sample-mongodb-svc
Labels:             <none>
Annotations:        <none>
Replicas:           1 desired | 0 total
Update Strategy:    RollingUpdate
Pods Status:        0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
  Labels:           app=sample-mongodb-svc
  Service Account:  mongodb-kubernetes-appdb
  Init Containers:
   mongod-posthook:
    Image:      quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.9
    Port:       <none>
    Host Port:  <none>
    Command:
      cp
      version-upgrade-hook
      /hooks/version-upgrade
    Limits:
      cpu:     1
      memory:  512Mi
    Requests:
      cpu:        100m
      memory:     256Mi
    Environment:  <none>
    Mounts:
      /hooks from hooks (rw)
   mongodb-agent-readinessprobe:
    Image:      quay.io/mongodb/mongodb-kubernetes-readinessprobe:1.0.22
    Port:       <none>
    Host Port:  <none>
    Command:
      cp
      /probes/readinessprobe
      /opt/scripts/readinessprobe
    Limits:
      cpu:     1
      memory:  512Mi
    Requests:
      cpu:        100m
      memory:     128Mi
    Environment:  <none>
    Mounts:
      /opt/scripts from agent-scripts (rw)
  Containers:
   mongod:
    Image:      quay.io/mongodb/mongodb-community-server:7.0.24-ubi9
    Port:       <none>
    Host Port:  <none>
    Command:
      /bin/sh
      -c
      
      if [ -e "/hooks/version-upgrade" ]; then
        #run post-start hook to handle version changes (if exists)
          /hooks/version-upgrade
      fi
      
      # wait for config and keyfile to be created by the agent
      echo "Waiting for config and keyfile files to be created by the agent..."
      while ! [ -f /data/automation-mongod.conf -a -f /var/lib/mongodb-mms-automation/authentication/keyfile ]; do
        sleep 3;
        echo "Waiting..."
      done
      
      # sleep is important after agent issues shutdown command
      # k8s restarts the mongod container too quickly for the agent to realize mongod is down
      echo "Sleeping for 15s..."
      sleep 15
      
      # start mongod with this configuration
      echo "Starting mongod..."
      exec mongod -f /data/automation-mongod.conf
      
    Args:
      
    Limits:
      cpu:     1
      memory:  512Mi
    Requests:
      cpu:     100m
      memory:  256Mi
    Environment:
      AGENT_STATUS_FILEPATH:  /healthstatus/agent-health-status.json
    Mounts:
      /data from data-volume (rw)
      /healthstatus from healthstatus (rw)
      /hooks from hooks (rw)
      /tmp from tmp (rw)
      /var/lib/mongodb-mms-automation/authentication from sample-mongodb-keyfile (rw)
      /var/log/mongodb-mms-automation from logs-volume (rw)
   mongodb-agent:
    Image:      quay.io/mongodb/mongodb-agent:108.0.2.8729-1
    Port:       <none>
    Host Port:  <none>
    Command:
      /bin/bash
      -c
      current_uid=$(id -u)
      declare -r current_uid
      if ! grep -q "${current_uid}" /etc/passwd ; then
      sed -e "s/^mongodb:/builder:/" /etc/passwd > /tmp/passwd
      echo "mongodb:x:$(id -u):$(id -g):,,,:/:/bin/bash" >> /tmp/passwd
      export NSS_WRAPPER_PASSWD=/tmp/passwd
      export LD_PRELOAD=libnss_wrapper.so
      export NSS_WRAPPER_GROUP=/etc/group
      fi
      agent/mongodb-agent -healthCheckFilePath=/var/log/mongodb-mms-automation/healthstatus/agent-health-status.json -serveStatusPort=5000 -cluster=/var/lib/automation/config/cluster-config.json -skipMongoStart -noDaemonize -useLocalMongoDbTools -logLevel INFO
    Limits:
      cpu:     1
      memory:  512Mi
    Requests:
      cpu:      100m
      memory:   128Mi
    Readiness:  exec [/opt/scripts/readinessprobe] delay=5s timeout=1s period=10s #success=1 #failure=40
    Environment:
      AGENT_STATUS_FILEPATH:  /var/log/mongodb-mms-automation/healthstatus/agent-health-status.json
      AUTOMATION_CONFIG_MAP:  sample-mongodb-config
      HEADLESS_AGENT:         true
      POD_NAMESPACE:           (v1:metadata.namespace)
    Mounts:
      /data from data-volume (rw)
      /opt/scripts from agent-scripts (rw)
      /tmp from tmp (rw)
      /var/lib/automation/config from automation-config (ro)
      /var/lib/mongodb-mms-automation/authentication from sample-mongodb-keyfile (rw)
      /var/log/mongodb-mms-automation from logs-volume (rw)
      /var/log/mongodb-mms-automation/healthstatus from healthstatus (rw)
  Volumes:
   agent-scripts:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
   automation-config:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  sample-mongodb-config
    Optional:    false
   healthstatus:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
   hooks:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
   sample-mongodb-keyfile:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
   tmp:
    Type:          EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:        
    SizeLimit:     <unset>
  Node-Selectors:  <none>
  Tolerations:     <none>
Volume Claims:
  Name:          data-volume
  StorageClass:  
  Labels:        <none>
  Annotations:   <none>
  Capacity:      1Gi
  Access Modes:  [ReadWriteOnce]
  Name:          logs-volume
  StorageClass:  
  Labels:        <none>
  Annotations:   <none>
  Capacity:      0
  Access Modes:  [ReadWriteOnce]
Events:
  Type     Reason        Age                  From                    Message
  ----     ------        ----                 ----                    -------
  Warning  FailedCreate  22s (x15 over 104s)  statefulset-controller  create Pod sample-mongodb-0 in StatefulSet sample-mongodb failed error: pods "sample-mongodb-0" is forbidden: error looking up service account mas-test/mongodb-kubernetes-appdb: serviceaccount "mongodb-kubernetes-appdb" not found

Operator Information

• Operator Version: 1.4.0
• MongoDB Image used: quay.io/mongodb/mongodb-community-server:7.0.24-ubi9 (same with -ubi8)

Kubernetes Cluster Information

• Distribution: RKE2
• Version: 1.32.9
• Image Registry location (quay, or an internal registry): quay

Additional context
Operator was deployed with Helm Chart mongodb/mongodb-kubernetes using following values:

operator:
  replicas: 1
  mdbDefaultArchitecture: static
  managedSecurityContext: false
  watchNamespace: "*"

  vaultSecretBackend:
    enabled: false

  telemetry:
    enabled: false
    collection:
      frequency: 720h
    send:
      frequency: 720h

registry:
  pullPolicy: IfNotPresent

community:
  mongodb:
    imageType: ubi9
  resource:
    tls:
      enabled: false

Due to enforced restricted security policy i had to patch the operator with

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mongodb-kubernetes-operator
  namespace: mongodb-operator
spec:
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
        runAsGroup: 2000
        fsGroup: 2000
        fsGroupChangePolicy: "OnRootMismatch"
        seccompProfile:
          type: "RuntimeDefault"
      volumes:
      - name: tmp
        emptyDir:
          medium: Memory
      containers:
        - name: mongodb-kubernetes-operator
          securityContext:
            privileged: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
              - ALL
          volumeMounts:
          - name: tmp
            mountPath: /tmp

If possible, please include:

• The operator logs

operator.log

• Below we assume that your replicaset database pods are named mongo-<>. For instance:

❯ k get pods
NAME      READY   STATUS    RESTARTS   AGE
                                                                                     
❯ k get mdbc
NAME    PHASE     VERSION
NAMESPACE   NAME             PHASE     VERSION
mas-test    sample-mongodb   Pending   

[bitfisher]

Adding SA to manifests and adjusting securityContext results in a Pod getting deployed, but mongodb-agent never becomes Ready.

apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
  name: sample-mongodb
  namespace: mas-test
  annotations:
    mongodb.com/v1.architecture: "static"
spec:
  type: ReplicaSet
  members: 1
  arbiters: 0
  version: "7.0.24"
  featureCompatibilityVersion: "7.0"
  statefulSet:
    spec:
      template:
        spec:
          securityContext:
            runAsNonRoot: true
            runAsUser: 2000
            runAsGroup: 2000
            fsGroup: 2000
            fsGroupChangePolicy: "OnRootMismatch"
            seccompProfile:
              type: "RuntimeDefault"
          containers:
          - name: mongod
            resources:
              requests:
                cpu: 100m
                memory: 256Mi
              limits:
                cpu: 1000m
                memory: 512Mi
            securityContext:
              capabilities:
                drop:
                - ALL
          - name: mongodb-agent
            resources:
              requests:
                cpu: 100m
                memory: 128Mi
              limits:
                cpu: 1000m
                memory: 512Mi
            securityContext:
              capabilities:
                drop:
                - ALL
          initContainers:
          - name: mongodb-agent-readinessprobe
            resources:
              requests:
                cpu: 100m
                memory: 128Mi
              limits:
                cpu: 1000m
                memory: 512Mi
            securityContext:
              capabilities:
                drop:
                - ALL
          - name: mongod-posthook
            resources:
              requests:
                cpu: 100m
                memory: 256Mi
              limits:
                cpu: 1000m
                memory: 512Mi
            securityContext:
              capabilities:
                drop:
                - ALL
      volumeClaimTemplates:
      - metadata:
          name: data-volume
        spec:
          resources:
            requests:
              storage: 1Gi
      - metadata:
          name: logs-volume
        spec:
          resources:
            requests:
              storage: 0Mi
  security:
    authentication:
      modes: ["SCRAM"]
  users:
    - name: sample
      db: SampleDB
      scramCredentialsSecretName: sample
      passwordSecretRef:
        name: sample-mongodb
      roles:
        - name: dbOwner
          db: SampleDB
  agent:
    logFile: /dev/stdout

---

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: sample-mongodb
  namespace: mas-test
data:
  password: c2FtcGxl

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: mongodb-kubernetes-appdb
  namespace: mas-test

k describe po sample-mongodb-0 :

Name:             sample-mongodb-0
Namespace:        mas-test
Priority:         0
Service Account:  mongodb-kubernetes-appdb
Node:             onl-cloud-dev-02/10.99.3.2
Start Time:       Thu, 02 Oct 2025 09:39:41 +0200
Labels:           app=sample-mongodb-svc
                  apps.kubernetes.io/pod-index=0
                  controller-revision-hash=sample-mongodb-5f6785cbd4
                  statefulset.kubernetes.io/pod-name=sample-mongodb-0
Annotations:      cni.projectcalico.org/containerID: 915766cdf42f81a28b3b507710b65521117c452accd460382eceb29b18e0057f
                  cni.projectcalico.org/podIP: 10.42.0.35/32
                  cni.projectcalico.org/podIPs: 10.42.0.35/32
Status:           Running
SeccompProfile:   RuntimeDefault
IP:               10.42.0.35
IPs:
  IP:           10.42.0.35
Controlled By:  StatefulSet/sample-mongodb
Init Containers:
  mongod-posthook:
    Container ID:  containerd://eb13d57cb7912c29aa27d0b037af2b67caf2b37b0020dbef10b7eb4d2214ffe4
    Image:         quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.9
    Image ID:      quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook@sha256:71aa85ff8cc45c245fef869d6027db47d047d29eac3e5e2a5802e36ed5a97196
    Port:          <none>
    Host Port:     <none>
    Command:
      cp
      version-upgrade-hook
      /hooks/version-upgrade
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Thu, 02 Oct 2025 09:39:46 +0200
      Finished:     Thu, 02 Oct 2025 09:39:46 +0200
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     1
      memory:  512Mi
    Requests:
      cpu:        100m
      memory:     256Mi
    Environment:  <none>
    Mounts:
      /hooks from hooks (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-29m4f (ro)
  mongodb-agent-readinessprobe:
    Container ID:  containerd://5a79f9fa07ca96fec8cb63fe01772a1f32576cf92f1a12cc22fb1fb73baedaa8
    Image:         quay.io/mongodb/mongodb-kubernetes-readinessprobe:1.0.22
    Image ID:      quay.io/mongodb/mongodb-kubernetes-readinessprobe@sha256:a02a605c3e07b660650458034b059423c6dacf89f57b839fe78005d3ea547c30
    Port:          <none>
    Host Port:     <none>
    Command:
      cp
      /probes/readinessprobe
      /opt/scripts/readinessprobe
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Thu, 02 Oct 2025 09:39:47 +0200
      Finished:     Thu, 02 Oct 2025 09:39:47 +0200
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     1
      memory:  512Mi
    Requests:
      cpu:        100m
      memory:     128Mi
    Environment:  <none>
    Mounts:
      /opt/scripts from agent-scripts (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-29m4f (ro)
Containers:
  mongod:
    Container ID:  containerd://8f57598210ebeb32e1ecba6feac45a465d897f0c21539dbba34c44c1659b13be
    Image:         quay.io/mongodb/mongodb-community-server:7.0.24-ubi8
    Image ID:      quay.io/mongodb/mongodb-community-server@sha256:6fcf50535e0660f45a6d279e184e18401b7736fb345347f66bc9e5b52b99a7c7
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/sh
      -c
      
      if [ -e "/hooks/version-upgrade" ]; then
        #run post-start hook to handle version changes (if exists)
          /hooks/version-upgrade
      fi
      
      # wait for config and keyfile to be created by the agent
      echo "Waiting for config and keyfile files to be created by the agent..."
      while ! [ -f /data/automation-mongod.conf -a -f /var/lib/mongodb-mms-automation/authentication/keyfile ]; do
        sleep 3;
        echo "Waiting..."
      done
      
      # sleep is important after agent issues shutdown command
      # k8s restarts the mongod container too quickly for the agent to realize mongod is down
      echo "Sleeping for 15s..."
      sleep 15
      
      # start mongod with this configuration
      echo "Starting mongod..."
      exec mongod -f /data/automation-mongod.conf
      
    Args:
      
    State:          Running
      Started:      Thu, 02 Oct 2025 09:40:50 +0200
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     1
      memory:  512Mi
    Requests:
      cpu:     100m
      memory:  256Mi
    Environment:
      AGENT_STATUS_FILEPATH:  /healthstatus/agent-health-status.json
    Mounts:
      /data from data-volume (rw)
      /healthstatus from healthstatus (rw)
      /hooks from hooks (rw)
      /tmp from tmp (rw)
      /var/lib/mongodb-mms-automation/authentication from sample-mongodb-keyfile (rw)
      /var/log/mongodb-mms-automation from logs-volume (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-29m4f (ro)
  mongodb-agent:
    Container ID:  containerd://9507640f163b320c5f9c5d40a159561c757581e0663d1f759c7ad81bfb8451c4
    Image:         quay.io/mongodb/mongodb-agent:108.0.2.8729-1
    Image ID:      quay.io/mongodb/mongodb-agent@sha256:b422829aac63f068aed4a6948fd14cbd3c3bfad6d47ab76523f6839bf20b0203
    Port:          <none>
    Host Port:     <none>
    Command:
      /bin/bash
      -c
      current_uid=$(id -u)
      declare -r current_uid
      if ! grep -q "${current_uid}" /etc/passwd ; then
      sed -e "s/^mongodb:/builder:/" /etc/passwd > /tmp/passwd
      echo "mongodb:x:$(id -u):$(id -g):,,,:/:/bin/bash" >> /tmp/passwd
      export NSS_WRAPPER_PASSWD=/tmp/passwd
      export LD_PRELOAD=libnss_wrapper.so
      export NSS_WRAPPER_GROUP=/etc/group
      fi
      agent/mongodb-agent -healthCheckFilePath=/var/log/mongodb-mms-automation/healthstatus/agent-health-status.json -serveStatusPort=5000 -cluster=/var/lib/automation/config/cluster-config.json -skipMongoStart -noDaemonize -useLocalMongoDbTools -logLevel INFO
    State:          Running
      Started:      Thu, 02 Oct 2025 09:40:51 +0200
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     1
      memory:  512Mi
    Requests:
      cpu:      100m
      memory:   128Mi
    Readiness:  exec [/opt/scripts/readinessprobe] delay=5s timeout=1s period=10s #success=1 #failure=40
    Environment:
      AGENT_STATUS_FILEPATH:  /var/log/mongodb-mms-automation/healthstatus/agent-health-status.json
      AUTOMATION_CONFIG_MAP:  sample-mongodb-config
      HEADLESS_AGENT:         true
      POD_NAMESPACE:          mas-test (v1:metadata.namespace)
    Mounts:
      /data from data-volume (rw)
      /opt/scripts from agent-scripts (rw)
      /tmp from tmp (rw)
      /var/lib/automation/config from automation-config (ro)
      /var/lib/mongodb-mms-automation/authentication from sample-mongodb-keyfile (rw)
      /var/log/mongodb-mms-automation from logs-volume (rw)
      /var/log/mongodb-mms-automation/healthstatus from healthstatus (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-29m4f (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       False 
  ContainersReady             False 
  PodScheduled                True 
Volumes:
  logs-volume:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  logs-volume-sample-mongodb-0
    ReadOnly:   false
  data-volume:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  data-volume-sample-mongodb-0
    ReadOnly:   false
  agent-scripts:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  automation-config:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  sample-mongodb-config
    Optional:    false
  healthstatus:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  hooks:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  sample-mongodb-keyfile:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  tmp:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  kube-api-access-29m4f:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    Optional:                false
    DownwardAPI:             true
QoS Class:                   Burstable
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason                  Age   From                     Message
  ----     ------                  ----  ----                     -------
  Normal   Scheduled               15m   default-scheduler        Successfully assigned mas-test/sample-mongodb-0 to onl-cloud-dev-02
  Normal   SuccessfulAttachVolume  15m   attachdetach-controller  AttachVolume.Attach succeeded for volume "pvc-ef95e425-4074-4976-9c9c-159c516b6b7c"
  Normal   SuccessfulAttachVolume  15m   attachdetach-controller  AttachVolume.Attach succeeded for volume "pvc-8204d2b0-6d87-4715-8e8f-1a461a388f93"
  Normal   Pulling                 15m   kubelet                  Pulling image "quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.9"
  Normal   Pulled                  15m   kubelet                  Successfully pulled image "quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.9" in 421ms (421ms including waiting). Image size: 58498185 bytes.
  Normal   Created                 15m   kubelet                  Created container: mongod-posthook
  Normal   Started                 15m   kubelet                  Started container mongod-posthook
  Normal   Pulling                 15m   kubelet                  Pulling image "quay.io/mongodb/mongodb-kubernetes-readinessprobe:1.0.22"
  Normal   Pulled                  15m   kubelet                  Successfully pulled image "quay.io/mongodb/mongodb-kubernetes-readinessprobe:1.0.22" in 402ms (402ms including waiting). Image size: 60013254 bytes.
  Normal   Created                 15m   kubelet                  Created container: mongodb-agent-readinessprobe
  Normal   Started                 15m   kubelet                  Started container mongodb-agent-readinessprobe
  Normal   Pulling                 15m   kubelet                  Pulling image "quay.io/mongodb/mongodb-community-server:7.0.24-ubi8"
  Normal   Pulled                  14m   kubelet                  Successfully pulled image "quay.io/mongodb/mongodb-community-server:7.0.24-ubi8" in 1m2.293s (1m2.293s including waiting). Image size: 396831452 bytes.
  Normal   Created                 14m   kubelet                  Created container: mongod
  Normal   Started                 14m   kubelet                  Started container mongod
  Normal   Pulling                 14m   kubelet                  Pulling image "quay.io/mongodb/mongodb-agent:108.0.2.8729-1"
  Normal   Pulled                  14m   kubelet                  Successfully pulled image "quay.io/mongodb/mongodb-agent:108.0.2.8729-1" in 450ms (450ms including waiting). Image size: 182416151 bytes.
  Normal   Created                 14m   kubelet                  Created container: mongodb-agent
  Normal   Started                 14m   kubelet                  Started container mongodb-agent
  Warning  Unhealthy               14m   kubelet                  Readiness probe failed: {"level":"info","ts":"2025-10-02T07:41:03.023Z","msg":"logging configuration: &{Filename:/var/log/mongodb-mms-automation/readiness.log MaxSize:5 MaxAge:0 MaxBackups:5 LocalTime:false Compress:false size:0 file:<nil> mu:{state:0 sema:0} millCh:<nil> startMill:{done:{_:{} v:0} m:{state:0 sema:0}}}"}
{"level":"error","ts":"2025-10-02T07:41:03.031Z","msg":"There was problem checking the health status: failed to fetch automation-config secret name: sample-mongodb-config, err: secrets \"sample-mongodb-config\" is forbidden: User \"system:serviceaccount:mas-test:mongodb-kubernetes-appdb\" cannot get resource \"secrets\" in API group \"\" in the namespace \"mas-test\""}
panic: failed to fetch automation-config secret name: sample-mongodb-config, err: secrets "sample-mongodb-config" is forbidden: User "system:serviceaccount:mas-test:mongodb-kubernetes-appdb" cannot get resource "secrets" in API group "" in the namespace "mas-test"

BTW i had to update operator with imageType: "ubi8" because there is no ubi9 for v7.

It seems a bit weird that it is necessary to update operator when i want to change an imageType.
Even setting it to an empty string and append eg -ubi8 to version doesn't work as it will result in eg 7.0.24-ubi8-.
I wonder what's the intended way for testing eg an upgrade from 7.0.24-ubi8 to 8.0.14-ubi9?

[bitfisher]

After adding Role and RoleBinding also, i was able to get a running and ready pod.

apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
  name: sample-mongodb
  namespace: mas-test
  annotations:
    mongodb.com/v1.architecture: "static"
spec:
  type: ReplicaSet
  members: 1
  arbiters: 0
  version: "7.0.24"
  featureCompatibilityVersion: "7.0"
  statefulSet:
    spec:
      template:
        spec:
          securityContext:
            runAsNonRoot: true
            runAsUser: 2000
            runAsGroup: 2000
            fsGroup: 2000
            fsGroupChangePolicy: "OnRootMismatch"
            seccompProfile:
              type: "RuntimeDefault"
          containers:
          - name: mongod
            resources:
              requests:
                cpu: 100m
                memory: 256Mi
              limits:
                cpu: 1000m
                memory: 512Mi
            securityContext:
              capabilities:
                drop:
                - ALL
          - name: mongodb-agent
            resources:
              requests:
                cpu: 100m
                memory: 128Mi
              limits:
                cpu: 1000m
                memory: 512Mi
            securityContext:
              capabilities:
                drop:
                - ALL
          initContainers:
          - name: mongodb-agent-readinessprobe
            resources:
              requests:
                cpu: 100m
                memory: 128Mi
              limits:
                cpu: 1000m
                memory: 512Mi
            securityContext:
              capabilities:
                drop:
                - ALL
          - name: mongod-posthook
            resources:
              requests:
                cpu: 100m
                memory: 256Mi
              limits:
                cpu: 1000m
                memory: 512Mi
            securityContext:
              capabilities:
                drop:
                - ALL
      volumeClaimTemplates:
      - metadata:
          name: data-volume
        spec:
          resources:
            requests:
              storage: 1Gi
      - metadata:
          name: logs-volume
        spec:
          resources:
            requests:
              storage: 10Mi
  security:
    authentication:
      modes: ["SCRAM"]
  users:
    - name: sample
      db: SampleDB
      scramCredentialsSecretName: sample
      passwordSecretRef:
        name: sample-mongodb
      roles:
        - name: dbOwner
          db: SampleDB
  agent:
    logFile: /dev/stdout

---

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: sample-mongodb
  namespace: mas-test
data:
  password: c2FtcGxl

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: mongodb-kubernetes-appdb
  namespace: mas-test

---

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: mongodb-kubernetes-appdb
  namespace: mas-test
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - patch
  - delete
  - get

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: mongodb-kubernetes-appdb
  namespace: mas-test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: mongodb-kubernetes-appdb
subjects:
- kind: ServiceAccount
  name: mongodb-kubernetes-appdb
  namespace: mas-test

---

phu ... that was a tough one ... lot of adjustments and additions to get a simple mongodb instance up and running

[bitfisher]

Just tested update case 7.0.24-ubi8 to 8.0.14-ubi9 ...

Following steps in exact order are needed:

1. update version of MongoDBCommunity from 7.0.24 to 8.0.14 -> updates STS/Pods to 8.0.14-ubi8
2. update operator with community.mongodb.imageType="ubi9" -> updates STS/Pods to 8.0.14-ubi9

It seems that operator is reconciling STS in Ready state only.

For example when using 7.0.24 with imageType ubi8 and updating imageType to ubi9 will result in updated STS/Pods to 7.0.24-ubi9 but they remain in ErrImagePull forever and never recovers, even when setting back imageType again.

Same happens for example when using a wrong version mistakenly (eg 8.0.24 instead of 8.0.14). Operator updates STS with the wrong version which results in Pods with state ErrImagePull and never recovers, even when updating to correct version.

[pedronieto1206]

I am having the same issue with the community operator:

Warning FailedCreate 3m50s (x18 over 14m) statefulset-controller create Pod example-mongodb-0 in StatefulSet example-mongodb failed error: pods "example-mongodb-0" is forbidden: error looking up service account output-feed-generator/mongodb-kubernetes-appdb: serviceaccount "mongodb-kubernetes-appdb" not found

Why is the operator not creating the SA for this?

[KrisJohnstone]

This looks to be kinda to design, its a bit shit (but there are security implications so it also makes sense) and should probably be called out to make this clear but essentially, the Watch NS parameter expects a list of namespaces not a wild card. The helm chart then loops through and creates the role/sa/rb in those namespaces.

mongodb-kubernetes/helm_chart/templates/database-roles.yaml

Line 1 in 9f297b9

{{ if .Values.operator.createResourcesServiceAccountsAndRoles }}

[bitfisher]

@KrisJohnstone thanks for the clarification

so i have to know the namespaces in advance or update operator everytime when i need to deploy mongo into a new namespace.
seems weird though.
this is definitely something the operator should do.