Deploy a MinIO Tenant
This procedure documents deploying a MinIO Tenant onto a stock Kubernetes cluster using the MinIO Operator Console.

The MinIO Operator supports only the Distributed (Multi-Node Multi-Drive) MinIO topology. You can use basic Kubernetes YAML resource definitions to deploy Single-Node Single-Drive and Single-Node Multi-Drive topologies for local testing and evaluation as necessary.
The Operator Console provides a rich user interface for deploying and managing MinIO Tenants on Kubernetes infrastructure. Installing the MinIO Kubernetes Operator automatically installs and configures the Operator Console.
This documentation assumes familiarity with all referenced Kubernetes concepts, utilities, and procedures. While this documentation may provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official Kubernetes Documentation.
Prerequisites
MinIO Kubernetes Operator and Plugin
The procedures on this page requires a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator. This procedure assumes the latest stable Operator and Plugin version 5.0.5.
See Deploy the MinIO Operator for complete documentation on deploying the MinIO Operator.
You can install the MinIO plugin using either the Kubernetes Krew plugin manager or manually by downloading and installing the plugin binary to your local host:
Krew is a kubectl
plugin manager developed by the Kubernetes SIG CLI group.
See the krew
installation documentation for specific instructions.
You can use the Krew plugin for Linux, MacOS, and Windows operating systems.
You can use Krew to install the MinIO kubectl
plugin using the following commands:
kubectl krew update
kubectl krew install minio
If you want to update the MinIO plugin with Krew, use the following command:
kubectl krew upgrade minio
You can validate the installation of the MinIO plugin using the following command:
kubectl minio version
The output should match 5.0.5.
You can download the MinIO kubectl
plugin to your local system path.
The kubectl
CLI automatically discovers and runs compatible plugins.
The following code downloads the latest stable version 5.0.5 of the MinIO Kubernetes plugin and installs it to the system path:
curl https://github.com/minio/operator/releases/download/v5.0.5/kubectl-minio_5.0.5_linux_amd64 -o kubectl-minio
chmod +x kubectl-minio
mv kubectl-minio /usr/local/bin/
The mv
command above may require sudo
escalation depending on the permissions of the authenticated user.
Run the following command to verify installation of the plugin:
kubectl minio version
The output should display the Operator version as 5.0.5.
You can download the MinIO kubectl
plugin to your local system path.
The kubectl
CLI automatically discovers and runs compatible plugins.
The following PowerShell command downloads the latest stable version 5.0.5 of the MinIO Kubernetes plugin and installs it to the system path:
Invoke-WebRequest -Uri "https://github.com/minio/operator/releases/download/v5.0.5/kubectl-minio_5.0.5_windows_amd64.exe" -OutFile "C:\kubectl-plugins\kubectl-minio.exe"
Ensure the path to the plugin folder is included in the Windows PATH.
Run the following command to verify installation of the plugin:
kubectl minio version
The output should display the Operator version as 5.0.5.
Kubernetes Version 1.19.0
Starting with v4.0.0, the MinIO Operator requires Kubernetes 1.19.0 and later.
The Kubernetes infrastructure and the kubectl
CLI tool must have the same version of 1.19.0+.
This procedure assumes the host machine has kubectl
installed and configured with access to the target Kubernetes cluster.
The host machine must have access to a web browser application.
Persistent Volumes
MinIO can use any Kubernetes Persistent Volume (PV) that supports the ReadWriteOnce access mode.
MinIO’s consistency guarantees require the exclusive storage access that ReadWriteOnce
provides.
For Kubernetes clusters where nodes have Direct Attached Storage, MinIO strongly recommends using the DirectPV CSI driver. DirectPV provides a distributed persistent volume manager that can discover, format, mount, schedule, and monitor drives across Kubernetes nodes. DirectPV addresses the limitations of manually provisioning and monitoring local persistent volumes.
Deploy a Tenant using the MinIO Operator Console
To deploy a tenant from the MinIO Operator Console, complete the following steps in order:
1) Access the MinIO Operator Console
6) The Identity Provider Section
11) Deploy and View the Tenant
1) Access the MinIO Operator Console
Port Forwarding
Note
Some Kubernetes deployments may experience issues with timeouts during port-forwarding operations with the Operator Console. Select the NodePorts section to view instructions for alternative access. You can alternatively configure your preferred Ingress to grant access to the Operator Console service. See https://github.com/kubernetes/kubectl/issues/1368 for more information.
Run the kubectl minio proxy
command to temporarily forward traffic from the MinIO Operator Console service to your local machine:
kubectl minio proxy
The command output includes a required token for logging into the Operator Console.

You can deploy a new MinIO Tenant from the Operator Dashboard.
NodePorts
Use the following command to identify the NodePorts configured for the Operator Console.
If your local host does not have the jq
utility installed, you can run the first command and locate the spec.ports
section of the output.
kubectl get svc/console -n minio-operator -o json | jq -r '.spec.ports'
The output resembles the following:
[
{
"name": "http",
"nodePort": 31055,
"port": 9090,
"protocol": "TCP",
"targetPort": 9090
},
{
"name": "https",
"nodePort": 31388,
"port": 9443,
"protocol": "TCP",
"targetPort": 9443
}
]
Use the http
or https
port depending on whether you deployed the Operator with Console TLS enabled via kubectl minio init --console-tls
.
Append the nodePort
value to the externally-accessible IP address of a worker node in your Kubernetes cluster.
Use the following command to retrieve the JWT token necessary for logging into the Operator Console:
kubectl get secret/console-sa-secret -n minio-operator -o json | jq -r '.data.token' | base64 -d
Open your browser to the specified URL and enter the JWT Token into the login page. You should see the Tenants page:

Click the + Create Tenant to start creating a MinIO Tenant.
2) Complete the Tenant Setup
The Setup pane displays core configuration settings for the MinIO Tenant.
Settings marked with an asterisk * are required:
Field |
Description |
---|---|
Name |
The name of the MinIO Tenant |
Namespace |
The Kubernetes Namespace in which to deploy the tenant. You can create the namespace by selecting the plus + icon if it does not exist. The Operator supports at most one MinIO Tenant per namespace. |
Storage Class |
Specify the Kubernetes Storage Class the Operator uses when generating Persistent Volume Claims for the Tenant. Ensure the specified storage class has sufficient available Persistent Volume resources to match each generated Persistent Volume Claim. |
Number of Servers |
The total number of MinIO server pods to deploy in the Tenant. The Operator enforces a minimum of four server pods per tenant. The Operator by default uses pod anti-affinity, such that the Kubernetes cluster must have at least one worker node per MinIO server pod. Use the Pod Placement pane to modify the pod scheduling settings for the Tenant. |
Number of Drives per Server |
The number of storage volumes (Persistent Volume Claims) the Operator requests per Server. The Operator displays the Total Volumes under the Resource Allocation section. The Operator generates an equal number of PVC plus two for supporting Tenant services (Metrics and Log Search). The specified Storage Class must correspond to a set of Persistent Volumes sufficient in number to match each generated PVC. |
Total Size |
The total raw storage size for the Tenant. Specify both the total storage size and the Unit of that storage. All storage units are in SI values, e.g. \(Gi = GiB = 1024^3\) bytes. The Operator displays the Drive Capacity under the:guilabel:Resource Allocation section. The Operator sets this value as the requested storage capacity in each generated PVC. The specified Storage Class must correspond to a set of Persistent Volumes sufficient in capacity to match each generated PVC. |
Memory per Node [Gi] |
Specify the total amount of memory (RAM) to allocate per MinIO server pod. See Memory for guidance on setting this value. The Kubernetes cluster must have worker nodes with sufficient free RAM to match the pod request. |
Erasure Code Parity |
The Erasure Code Parity to set for the deployment. The Operator displays the selected parity and its effect on the deployment under the Erasure Code Configuration section. Erasure Code parity defines the overall resiliency and availability of data on the cluster. Higher parity values increase tolerance to drive or node failure at the cost of total storage. See Erasure Coding for more complete documentation. |
Select Create to create the Tenant using the current configuration. While all subsequent sections are optional, MinIO recommends reviewing them prior to deploying the Tenant.
3) The Configure Section
The Configure section displays optional configuration settings for the MinIO Tenant and its supporting services.
Field |
Description |
---|---|
Expose MinIO Service |
The MinIO Operator by default directs the MinIO Tenant services to request an externally accessible IP address from the Kubernetes cluster Load Balancer if one is available to access the tenant. Your Kubernetes distributions may include a load balancer that can respond to these requests. Installation and configuration of load balancers is out of the scope of this documentation. |
Expose Console Service |
Select whether the Tenant should request an IP address from the Load Balancer to access the Tenant’s Console. Your Kubernetes distributions may include a load balancer that can respond to these requests. Installation and configuration of load balancers is out of the scope of this documentation. |
Set Custom Domains |
Toggle on to customize the domains allowed to access the tenant’s console and other tenant services. |
Security Context |
The MinIO Operator sets the Kubernetes Security Context for pods to a default of You can modify the Security Context to direct MinIO to run using a different User, Group,FsGroup ID, and FSGroupChangePolicy. You can also direct MinIO to run as the Root user. |
Custom Runtime Configurations |
Toggle on to customize the Runtime Class for the tenant to use. |
Additional Environment Variables |
Enter any additional the key:value pairs to use as environment variables for the tenant. |
4) The Images Section
The Images section displays container image settings used by the MinIO Tenant.
Field |
Description |
---|---|
MinIO’s Image |
The container image to use for the MinIO Server. See the MinIO Quay or the MinIO DockerHub repositories for a list of valid tags. |
Log Search API’s Image |
The container image to use for MinIO Log Search API. |
KES Image |
The container image to use for MinIO KES. |
Log Search Postgres Image
Log Search Postgres Init Image
|
The container images to use for starting the PostgreSQL service supporting the Log Search API |
Prometheus Image
Prometheus Sidecar Image
Prometheus Init Image
|
The container images to use for starting the Prometheus service supporting the Log Search API. |
5) The Pod Placement Section
The Pod Placement section displays pod scheduler settings for the MinIO Tenant.
Field |
Description |
---|---|
None |
Disables pod scheduling constraints for the tenant. This allows Kubernetes to schedule multiple Tenant pods onto the same node. This may decrease resiliency, as a single Kubernetes worker can host multiple MinIO pods. If that worker is down or lost, objects may also be unavailable or lost. Consider using this setting only in early development or sandbox environments with a limited number of worker nodes. |
Default (Pod Anti-Affinity) |
Directs the Operator to set anti-affinity settings such that no Kubernetes worker can host more than one MinIO server pod for this Tenant. |
Node Selector |
Directs the operator to set a Node Selector such that pods only deploy onto Kubernetes workers whose labels match the selector. |
6) The Identity Provider Section
The Identity Provider section displays the Identity Provider settings for the MinIO Tenant. This includes configuring an external IDP such as OpenID or Active Directory / LDAP.
Field |
Description |
---|---|
Built-In |
Configure additional internal MinIO users for the Operator to create as part of deploying the Tenant. |
OpenID |
Configure an OpenID Connect-compatible service as an external Identity Provider (e.g. Keycloak, Okta, Google, Facebook, Dex) to manage MinIO users. |
Active Directory |
Configure an Active Directory or OpenLDAP service as the external Identity Provider to manage MinIO users. |
7) The Security Section
The Security section displays TLS certificate settings for the MinIO Tenant.
Field |
Description |
---|---|
Enable TLS |
Enable or disable TLS for the MinIO Tenant. |
Enable AutoCert |
Directs the Operator to generate Certificate Signing Requests for submission to the Kubernetes TLS API. The MinIO Tenant uses the generated certificates for enabling and establishing TLS connections. |
Custom Certificates |
When enabled, you can upload custom TLS certificates for MinIO to use for server and client credentials. MinIO supports Server Name Indication (SNI) such that the Tenant can select the appropriate TLS certificate based on the request hostname and the certificate Subject Alternative Name. MinIO also supports uploading Certificate Authority certificates for validating client certificates minted by that CA. |
New in version Console: 0.23.1
A message displays under the certificate with the date of expiration and length of time until expiration.
The message adjusts depending on the length of time to expiration:
More than 30 days, the message text displays in gray.
Within 30 days, the message text changes to orange.
Within 10 days, the message text changes to red.
Within 24 hours, the message displays as an hour and minute countdown in red text.
After expiration, the message displays as
EXPIRED
.
8) The Encryption Section
The Encryption section displays the Server-Side Encryption (SSE) settings for the MinIO Tenant.
Enabling SSE also creates MinIO Key Encryption Service pods in the Tenant to facilitate SSE operations.
Field |
Description |
---|---|
Vault |
Configure Hashicorp Vault as the external KMS for storing root encryption keys. See Server-Side Object Encryption with Hashicorp Vault Root KMS for guidance on the displayed fields. |
AWS |
Configure AWS Secrets Manager as the external KMS for storing root encryption keys. See Server-Side Object Encryption with AWS Secrets Manager Root KMS for guidance on the displayed fields. |
GCP |
Configure Google Cloud Platform Secret Manager as the external KMS for storing root encryption keys. See Server-Side Object Encryption with GCP Secret Manager Root KMS for guidance on the displayed fields. |
Azure |
Configure Azure Key Vault as the external KMS for storing root encryption keys. See Server-Side Object Encryption with Azure Key Vault Root KMS for guidance on the displayed fields. |
9) Audit Log Settings
Important
MinIO plans to deprecate the Tenant Console Audit Log feature and remove it in an upcoming release. MinIO recommends disabling this feature in preparation for this change.
As an alternative, use any webhook-capable database or logging service to capture audit logs from the Tenant.
Changed in version Console: 0.23.1 and Operator 5.0.0
New tenants have Audit Logs Disabled by default.
Field |
Description |
---|---|
Log Search Storage Class |
Select the storage class and requested capacity associated to the PVC generated to support audit logging. |
Storage Size |
Specify the size of storage to make available for audit logging. |
SecurityContext for LogSearch |
The MinIO Operator deploys a Log Search service (SQL Database and Log Search API) to support Audit Log search in the MinIO Tenant Console. You can modify the Security Context to run the associated pod commands using a different |
SecurityContext for PostgreSQL |
The MinIO Operator deploys a PostgreSQL database to support logging services. You can modify the Security Context to run the associated pod commands using a different You can also modify the storage class and requested capacity associated to the PVC generated to support the Prometheus service. |
10) Monitoring Settings
Important
MinIO plans to deprecate the Tenant Prometheus pod feature and remove it in an upcoming release.
MinIO recommends setting this value to false
in preparation for this change.
As an alternative, use any Prometheus service deployed within the Kubernetes cluster or externally to capture Tenant metrics.
Changed in version Console: 0.23.1 and Operator 5.0.0
New tenants have monitoring Disabled by default.
Field |
Description |
---|---|
Storage Class |
Select the storage class and requested capacity associated to the PVC generated to support Prometheus. |
Storage Size |
Specify the size of storage to make available for Prometheus. |
SecurityContext |
The MinIO Operator assigns this Security Context for the Prometheus pod. You can modify the Security Context to run the associated pod commands using a different |
11) Deploy and View the Tenant
Select Create at any time to begin the deployment process. The MinIO Operator displays the root user credentials once as part of deploying the Tenant. Copy these credentials to a secure location.
You can monitor the Tenant creation process from the Tenants view. The State column updates throughout the deployment process.
Tenant deployment can take several minutes to complete. Once the State reads as Initialized, click the Tenant to view its details.

Each tab provides additional details or configuration options for the MinIO Tenant.
METRICS - Displays metrics collected from the MinIO Tenant.
SECURITY - Provides TLS-related configuration options.
POOLS - Supports expanding the tenant by adding more Server Pools.
LICENSE - Enter your SUBNET license.
12) Connect to the Tenant
The MinIO Operator creates services for the MinIO Tenant.
Use the kubectl get svc -n NAMESPACE
command to review the deployed services:
kubectl get svc -n minio-tenant-1
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
minio LoadBalancer 10.97.114.60 <pending> 443:30979/TCP 2d3h
minio-tenant-1-console LoadBalancer 10.106.103.247 <pending> 9443:32095/TCP 2d3h
minio-tenant-1-hl ClusterIP None <none> 9000/TCP 2d3h
minio-tenant-1-log-hl-svc ClusterIP None <none> 5432/TCP 2d3h
minio-tenant-1-log-search-api ClusterIP 10.103.5.235 <none> 8080/TCP 2d3h
minio-tenant-1-prometheus-hl-svc ClusterIP None <none> 9090/TCP 7h39m
The
minio
service corresponds to the MinIO Tenant service. Applications should use this service for performing operations against the MinIO Tenant.The
*-console
service corresponds to the MinIO Console. Administrators should use this service for accessing the MinIO Console and performing administrative operations on the MinIO Tenant.
The remaining services support Tenant operations and are not intended for consumption by users or administrators.
By default each service is visible only within the Kubernetes cluster.
Applications deployed inside the cluster can access the services using the CLUSTER-IP
.
Applications external to the Kubernetes cluster can access the services using the EXTERNAL-IP
.
This value is only populated for Kubernetes clusters configured for Ingress or a similar network access service.
Kubernetes provides multiple options for configuring external access to services.
See the Kubernetes documentation on Publishing Services (ServiceTypes) and Ingress for more complete information on configuring external access to services.
Deploy a MinIO Tenant using the Command Line
The kubectl minio tenant create
command supports creating a MinIO Tenant in your Kubernetes cluster.
The command requires that the cluster have a functional MinIO Operator installation.
To deploy a tenant from the command line, complete the following steps:
1) Determine Values for Required Settings
2) Determine Values for Optional Settings
3) Run the Command with Required and Optional Settings
4) Record the Access Credentials
5) Access the Tenant’s MinIO Console
1) Determine Values for Required Settings
The kubectl minio tenant create
command requires several configuration settings.
Determine the values for all required settings.
The command requires values for each of the items in this table.
Setting |
Description |
---|---|
The name to use for the new tenant. |
|
The total raw storage size for the Tenant across all volumes. Specify both the total storage size and the Unit of that storage. All storage units are in SI values, e.g. \(Gi = GiB = 1024^3\) bytes. For example, 16 Ti for 16 Tebibytes. |
|
The total number of MinIO server pods to deploy in the Tenant. The Operator by default uses pod anti-affinity, such that the Kubernetes cluster must have at least one worker node per MinIO server pod. |
|
The total number of storage volumes (Persistent Volume Claims). The Operator generates an equal number of PVC plus one for supporting logging. The total number of persistent volume claims ( The generated claims have pod selectors so that claims are only made for volumes attached to node running the pod. If the number of volumes exceeds the numnber of persistent volumes available on the cluster, |
|
Each MinIO tenant requires its own Specify a namespace with the The namespace must already exist in the Kubernetes cluster.
Run |
|
Specify the storage class to use. New MinIO tenants use the The specified MinIO strongly recommends creating a Storage Class that corresponds to locally-attached volumes on the host machines on which the Tenant deploys. This ensures each pod can use locally-attached storage for maximum performance and throughput. |
For example, the following command creates a new tenant with the following settings:
- Name
miniotenant
- Capacity
16 Tebibytes
- Servers
4
- Volumes
16
- Namespace
minio
- Storage Class
warm
kubectl minio tenant create miniotenant \
--capacity 16Ti \
--servers 4 \
--volumes 16 \
--namespace minio \
--storage-class warm
2) Determine Values for Optional Settings
You can further customize your tenant by including any or all of the following optional flags when running the kubectl minio tenant create
command:
Setting |
Description |
---|---|
Customize the By default, the Operator uses the release image available at the time of the Operator’s release.
To specify a different MinIO version for the tenant, such as the latest available, use the See the MinIO Quay or the MinIO DockerHub repositories for a list of valid tags. |
|
If using a custom container registry, specify the secret to use when pulling the Use |
|
Configure a Key Encrption Service (KES) Use the Enabling Server Side Encryption (SSE) also deploys a MinIO KES service in the Tenant to faciliate SSE operations. For more, see the Github documentation. |
Note
Generate a YAML File for Further Customizations
The MinIO Operator installs a Custom Resource Definition (CRD) to describe tenants. Advanced users can generate a YAML file from the command line and customize the tenant based on the CRD.
Do a dry run of a tenant creation process to generate a YAML file using the --output
flag.
When using this flag, the operator does not create the tenant.
Modify the generated YAML file as desired, then use kubectl apply -f <FILE>
to manually create the MinIO tenant using the file.
3) Run the Command with Required and Optional Settings
At the command line, enter the full command with all Required and any Optional flags.
Consider a tenant we want to create:
- Tenant Name
minio1
- Capacity
16 Tebibytes
- Servers
4
- Volumes
16 (four per node)
- Namespace
miniotenantspace
- MinIO Image
Latest version, RELEASE.2023-06-02T23-17-26Z
- Key ecnryption file
minio-secret
- Storage class
warm
kubectl minio tenant create \
minio1 \
--capacity 16Ti \
--servers 4 \
--volumes 16 \
--namespace miniotenantspace \
--image RELEASE.2023-06-02T23-17-26Z \
--kes-config minio-kes-secret \
--storage-class warm
4) Record the Access Credentials
When generating the tenant, the MinIO Operator displays the access credentials to use for the tenant.
Important
This is the only time the credentials display. Copy the credentials to a secure location. MinIO does not show these credentials again.
In addition to access credentials, the output shows the service name and service ports to use for accessing the tenant.
5) Access the Tenant’s MinIO Console
The MinIO Operator creates services for the MinIO Tenant.
Use the kubectl get svc -n NAMESPACE
command to review the deployed services:
kubectl get svc -n minio-tenant-1
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
minio LoadBalancer 10.97.114.60 <pending> 443:30979/TCP 2d3h
minio-tenant-1-console LoadBalancer 10.106.103.247 <pending> 9443:32095/TCP 2d3h
minio-tenant-1-hl ClusterIP None <none> 9000/TCP 2d3h
minio-tenant-1-log-hl-svc ClusterIP None <none> 5432/TCP 2d3h
minio-tenant-1-log-search-api ClusterIP 10.103.5.235 <none> 8080/TCP 2d3h
minio-tenant-1-prometheus-hl-svc ClusterIP None <none> 9090/TCP 7h39m
The
minio
service corresponds to the MinIO Tenant service. Applications should use this service for performing operations against the MinIO Tenant.The
*-console
service corresponds to the MinIO Console. Administrators should use this service for accessing the MinIO Console and performing administrative operations on the MinIO Tenant.
The remaining services support Tenant operations and are not intended for consumption by users or administrators.
By default each service is visible only within the Kubernetes cluster.
Applications deployed inside the cluster can access the services using the CLUSTER-IP
.
Applications external to the Kubernetes cluster can access the services using the EXTERNAL-IP
.
This value is only populated for Kubernetes clusters configured for Ingress or a similar network access service.
Kubernetes provides multiple options for configuring external access to services.
See the Kubernetes documentation on Publishing Services (ServiceTypes) and Ingress for more complete information on configuring external access to services.