restrict reflector action scope to a list of namespaces

[fabiomarinetti]

Hi,

for security reason it could be great if reflector restricts its operational range within a set of namespaces. I tried to achieve this by defining one different rolebinding for each namespace instead of using a clusterrolebinding, but seemed not to work.

Is there a possibility to achieve this with the current code level?

[NeodymiumFerBore]

Also interested in this feature, like a command arg and/or an environment variable to restrict which namespaces should be watched for source Secrets (coma separated list). As of now, anyone can flood the cluster by creating Secrets reflected to all namespaces.

If this is already possible (without custom admission control), can you please explain how? Thank you.

[nickel-tyler]

I think the ability to use namespace-scoped RoleBindings would be preferable. Having a service account with the ability to read all secrets on the cluster based on permissions is very bad for secure workloads