Force Namespace isolation

[krallistic]

Currently the controller make a watch on secrets in all namespaces, even if the controller is restricted to one namespace. (Same with configmaps, see https://github.com/kubernetes/ingress/blob/master/core/pkg/ingress/controller/controller.go#L257 )

This was done since if otherwise users would be required to duplicate certificates in every NS. But if you have a cluster and use NS for user separation this breaks the separation (since it requires cross NS read access to secrets), which makes any ingress (using that code) unusable in a NS separated cluster.

I would propose to introduce another Flag: --force-namespace which limits the watch on secrets and configmaps to the NS defined by --watch-namespace.

[cabrinoob]

Hi,
Does this isolation applies to ingress resources?
Because suppose I have 2 ingress controllers installed on my cluster, every Ingress resources in every namespaces are applied by both controllers.