compositecontroller and decoratorcontroller cannot be namespace scoped

[kkasravi]

If a namespace is provided it is ignored. Should controllers check to see if what they're watching is namespaced and limit their watches accordingly?

[enisoc]

It sounds like you want to make controllers that only act within certain namespaces, and you want Metacontroller to enforce that restriction instead of relying on the hook code to ignore other namespaces. Is that right?

One form that could take is to add namespace filters or selectors in the spec of the existing CompositeController and DecoratorController APIs. This would allow those who have been given access to Metacontroller APIs to self-restrict their controllers, but it wouldn't allow a cluster admin to hand out restricted access to use Metacontroller APIs in only certain namespaces.

Another option would be to introduce namespaced duplicates of the CompositeController and DecoratorController APIs. The namespaced forms of these APIs would only be capable of seeing and acting on objects within the same namespace. That would allow admins to control access to those namespaced Metacontroller APIs on a per-namespace basis with RBAC.

Do either of these match the use case you're thinking of? If not, it would help if you can give more details.

[kkasravi]

We would probably prefer option 2. Option 1 would be a reasonable workaround in the interim. Would we be able to submit a PR for option 2 or is this something you would prefer to do?