Support specifying which namespace(s) to watch (#61)

* Support specifying which namespace(s) to watch By default, an Operator is configured to watch objects from any namespace. Its access is only limited by RBAC. The Prefect Operator should only need to manage resources in the same namespace where it is deployed. So let's default to restricting it to its own namespace. References: - https://book.kubebuilder.io/cronjob-tutorial/empty-main.html - https://sdk.operatorframework.io/docs/building-operators/golang/operator-scope * Fix environment variable name Co-authored-by: Chris Guidry <[email protected]> * Disable namespace-scoped setting for now Disables the namespace-scoped setting (the WATCH_NAMESPACES env var) to keep the Operator cluser-scoped for now. The setting will be there in the future if we ever want to scope it down. When/if we do, we should look into scoping the RBAC down so it isn't cluster-scoped. --------- Co-authored-by: Chris Guidry <[email protected]>
PrefectHQ · Sep 6, 2024 · 04d04e8 · 04d04e8
1 parent 2547661
commit 04d04e8
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -20,6 +20,7 @@ import (
 	"crypto/tls"
 	"flag"
 	"os"
+	"strings"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -29,6 +30,7 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
@@ -116,6 +118,9 @@ func main() {
 		// if you are doing or is intended to do any operation such as perform cleanups
 		// after the manager stops then its usage might be unsafe.
 		LeaderElectionReleaseOnCancel: true,
+		Cache: cache.Options{
+			DefaultNamespaces: getWatchNamespaces(),
+		},
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
@@ -153,3 +158,24 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+// getWatchNamespaces returns the namespace(s) the operator should be watching for changes.
+//
+// It checks the "WATCH_NAMESPACES" environment variable, which can contain either:
+// - an empty string: ""
+// - or a list of comma-separated namespaces to watch: "my-app,my-other-app"
+func getWatchNamespaces() map[string]cache.Config {
+	namespaces, found := os.LookupEnv("WATCH_NAMESPACES")
+	if !found {
+		setupLog.Info("WATCH_NAMESPACES not configured, watching all namespaces")
+
+		return map[string]cache.Config{}
+	}
+
+	namespacesToWatch := make(map[string]cache.Config)
+	for _, ns := range strings.Split(namespaces, ",") {
+		namespacesToWatch[ns] = cache.Config{}
+	}
+
+	return namespacesToWatch
+}
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -62,6 +62,13 @@ spec:
         - /manager
         args:
         - --leader-elect
+        # env:
+        # - name: WATCH_NAMESPACES
+        #   # This restricts the Operator to watch objects in the same
+        #   # namespace where it is deployed.
+        #   valueFrom:
+        #     fieldRef:
+        #       fieldPath: metadata.namespace
         image: controller:latest
         name: manager
         securityContext: