The controller currently requires a cluster-wide ClusterRole. controller-runtime supports restricting the informer cache to specific namespaces via cache.Options.DefaultNamespaces, which would allow deployment with a namespaced Role/RoleBinding instead — giving API-server-level enforcement rather than just cache filtering.
Given the controller can manage sandboxes running untrusted code, least-privilege RBAC matters more here than for typical operators.
Plugging #483, the ns list can be a helm value and default to all if not set.
Happy to send a PR.
The controller currently requires a cluster-wide
ClusterRole. controller-runtime supports restricting the informer cache to specific namespaces viacache.Options.DefaultNamespaces, which would allow deployment with a namespacedRole/RoleBindinginstead — giving API-server-level enforcement rather than just cache filtering.Given the controller can manage sandboxes running untrusted code, least-privilege RBAC matters more here than for typical operators.
Plugging #483, the ns list can be a helm value and default to all if not set.
Happy to send a PR.