Support namespace-scoped installation

[sergiimk]

Our company operates k8s in a highly multi-tenant fasion where each team/project have isolated namespaces running their own ingress controllers. There is no cluster-global ingress controller deployment and most users don't have permissions to create cluster-scoped resources or access cluster scope APIs.

We are currently using nginx-ingress that provides --watch-namespace and --force-namespace-isolation options, but would like to migrate to haproxy as it served us well pre-k8s.

However even when using whitelists feature to restrict haproxy controller to one namespace (as suggested in #105) it still hits the cluster-scoped APIs and fails with:

Failed to list *v1beta1.Ingress: ingresses.extensions is forbidden: User "system:serviceaccount:xxx:haproxy-test" cannot list resource "ingresses" in API group "extensions" at the cluster scope
Failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:xxx:haproxy-test" cannot list resource "configmaps" in API group "" at the cluster scope
Failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:xxx:haproxy-test" cannot list resource "secrets" in API group "" at the cluster scope

Would it make sense to use only namespace-scoped event APIs when namespace whitelist is provided?

Controller listening for all events even when namespace whitelist is provided is also a scalability concern for us, as we deploy hundreds of instances which put a lot of pressure on the k8s API.

[oktalz]

Hi @sergiimk I see you point, we could improve this to monitor only namespaces defined with --namespace-whitelist. This would certainly help k8s API.

I'll put it in roadmap and notify you when we change this.

[ShaunHallTHG]

hi, is there any update on this please?