Home / Kong Operator / Security hardening
Edit
Report

Limiting namespaces watched by ControlPlane

Uses: Kong Gateway Operator
Related Documentation
All Operator Documentation
Minimum Version
Kong Gateway Operator - 1.6

By default, Kong Operator’s ControlPlane watches all namespaces. This provides a convenient out-of-the-box experience but may not suit all production environments, especially those where multiple teams share the same cluster or in multi-tenant setups.

To limit the namespaces watched by ControlPlane, you can set the watchNamespaces field in the ControlPlane’s spec.

ControlPlane’s watchNamespaces field

The spec.watchNamespaces.type field accepts three values to control this behavior:

  • all (default): Watches resources in all namespaces.
  • own: Watches resources only in the ControlPlane’s own namespace.
  • list: Watches resources in the ControlPlane’s own namespace and in the specified list of additional namespaces. When using list, the ControlPlane’s own namespace is automatically added to the list of watched namespaces, because this behavior is required by Kong Ingress Controller.
    By default, the publish service (the Service for the DataPlane, exposed by Kong Gateway) is created in the same namespace as the ControlPlane.

Note: Setting this field in ControlPlane will configure the CONTROLLER_WATCH_NAMESPACE environment variable in the managed Kong Ingress Controller. If you manually set the CONTROLLER_WATCH_NAMESPACE environment variable through podTemplateSpec, it will override this configuration.

The all and own types don’t require any further changes or additional resources. The list type requires further configuration.

Specify a list of namespaces to watch

The list type requires two additional steps:

  1. Specify the namespaces to watch in the spec.watchNamespaces.list field. 
    spec:
  watchNamespaces:
    type: list
     list:
     - namespace-a
     - namespace-b

  2. Create a WatchNamespaceGrant resource in each of the specified namespaces. This resource grants the ControlPlane permission to watch resources in the specified namespace. It can be defined as:

    apiVersion: gateway-operator.konghq.com/v1alpha1
kind: WatchNamespaceGrant
metadata:
  name: watch-namespace-grant
  namespace: namespace-a
spec:
  from:
  - group: gateway-operator.konghq.com
    kind: ControlPlane
    namespace: control-plane-namespace

For more information on the WatchNamespaceGrant CRD, see the CRD reference.

Multi-tenancy using watch namespaces v2.0+

Multi-tenancy, in the context of Kong Operator, is an approach that allows multiple instances of the Kong Operator to share the same underlying infrastructure while keeping their data isolated and more specifically to watch disjoint namespaces.

This allows you to configure Kong Operator itself to watch namespaces instead of always specifying them in the ControlPlane resources.

Important: If you configure watch namespaces on both Kong Operator and ControlPlane resources, they must be configured so that they don’t conflict. For example, if the Kong Operator watches namespaces A and B, the ControlPlane resource can only define watch namespaces A and B. If you use other watch namespaces, such as namespace C, the ControlPlane object will receive an appropriate status condition and won’t reconcile your configuration.

You can set watch namespaces for Kong Operator using several methods:

When using the kong-operator Helm chart, you can use the env top level configuration in your values.yaml:

env:
  watch_namespace: namespace-a,namespace-b
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support