By default, ‘s ControlPlane watches all namespaces.
This provides a convenient out-of-the-box experience but may not suit all production environments, especially those where multiple teams share the same cluster or in multi-tenant setups.
To limit the namespaces watched by ControlPlane, you can set the watchNamespaces field in the ControlPlane’s spec.
The spec.watchNamespaces.type field accepts three values to control this behavior:
all (default): Watches resources in all namespaces.own: Watches resources only in the ControlPlane’s own namespace.list: Watches resources in the ControlPlane’s own namespace and in the specified list of additional namespaces.
When using list, the ControlPlane’s own namespace is automatically added to the list of watched namespaces, because this behavior is required by Kong Ingress Controller.Service for the DataPlane, exposed by Kong Gateway) is created in the same namespace as the ControlPlane.Note: Setting this field in
ControlPlanewill configure theCONTROLLER_WATCH_NAMESPACEenvironment variable in the managed Kong Ingress Controller. If you manually set theCONTROLLER_WATCH_NAMESPACEenvironment variable throughpodTemplateSpec, it will override this configuration.
The all and own types don’t require any further changes or additional resources. The list type requires further configuration.
The list type requires two additional steps:
spec.watchNamespaces.list field.
spec:
watchNamespaces:
type: list
list:
- namespace-a
- namespace-b
Create a WatchNamespaceGrant resource in each of the specified namespaces. This resource grants the ControlPlane permission to watch resources in the specified namespace. It can be defined as:
apiVersion: gateway-operator.konghq.com/v1alpha1
kind: WatchNamespaceGrant
metadata:
name: watch-namespace-grant
namespace: namespace-a
spec:
from:
- group: gateway-operator.konghq.com
kind: ControlPlane
namespace: control-plane-namespace
For more information on the WatchNamespaceGrant CRD, see the CRD reference.