Skip to content

ADR-016: Multi-namespace operation by default

Category: architecture Provenance: guided-ai

Decision

Operator watches and manages resources across all namespaces by default. Not namespace-scoped. Team isolation via Kubernetes RBAC, not operator scope.

Rationale

Dynamic provisioning: Clients in any namespace can reference realms in other namespaces (if RBAC allows). Flexibility: Single operator instance serves entire cluster. RBAC-based isolation: Teams are isolated via K8s RBAC, more secure than namespace scoping. Operational efficiency: One operator deployment instead of per-namespace deployments.

Agent Instructions

Handlers use '@kopf.on' without namespace parameter (watches all namespaces). Authorization happens via K8s RBAC on CRD access, not namespace boundaries. When checking permissions, verify CRD RBAC, not namespace ownership. Support --namespace flag for debugging, but default is cluster-wide.