EronWright
commented
1 month ago Good news everyone, we just released a preview of Pulumi Kubernetes Operator v2. This new release has a whole-new architecture that is designed primarily for cluster-wide installation. Filtering on which namespaces to watch is actually an unimplemented feature: https://github.com/pulumi/pulumi-kubernetes-operator/issues/690
One of the main use cases for an ordinary single-namespace installation mode is that fewer permissions are needed by the operator. I doubt that would be practical in this use case of dynamic namespaces, because you'd need at least some cluster-scoped permissions to watch the namespace objects, and a role binding would be needed on a per-namespace basis to watch the stacks. I suppose I don't see much reason to do this. @ghostsquad could you say more?
Please read the announcement blog post for more information: https://www.pulumi.com/blog/pulumi-kubernetes-operator-2-0/
Would love to hear your feedback! Feel free to engage with us on the #kubernetes channel of the Pulumi Slack workspace.
Hello!
Issue details
Instead of a single namespace or a comma-separated list of namespaces, I'd like the ability for an operator to dynamically watch namespaces based on the "selector" pattern.
Here's some more relevant details: https://github.com/kubernetes/kubernetes/issues/88253?ts=4#issuecomment-798793953
https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#labelselector-v1-meta
Affected area/feature
Allows WATCH_NAMESPACE to be a more dynamic value, allowing for stacks to be managed along side the apps themselves, and generally, it's easier to support namespaces that share specific requirements/permissions dynamically without needing to deploy a specific operator for each individual namespace, or to redeploy an operator because of the addition/removal of a namespace.