Re-enable restricting controller watch to single namespace

Adds the ability to restrict the seccomp controller to a single namespace such that users can restrict permissions required to run the operator in a cluster. Signed-off-by: hasheddan <georgedanielmangum@gmail.com>
kubernetes-sigs · Aug 12, 2020 · 1ea3286 · 1ea3286
1 parent 65acfe5
commit 1ea3286
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/cmd/seccomp-operator/main.go b/cmd/seccomp-operator/main.go
@@ -30,7 +30,10 @@ import (
 	"sigs.k8s.io/seccomp-operator/internal/pkg/version"
 )
 
-const jsonFlag string = "json"
+const (
+	jsonFlag      string = "json"
+	restrictNSKey string = "RESTRICT_TO_NAMESPACE"
+)
 
 var (
 	sync     = time.Second * 30
@@ -98,9 +101,15 @@ func run(*cli.Context) error {
 		return errors.Wrap(err, "get config")
 	}
 
-	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
+	ctrlOpts := ctrl.Options{
 		SyncPeriod: &sync,
-	})
+	}
+
+	if os.Getenv(restrictNSKey) != "" {
+		ctrlOpts.Namespace = os.Getenv(restrictNSKey)
+	}
+
+	mgr, err := ctrl.NewManager(cfg, ctrlOpts)
 	if err != nil {
 		return errors.Wrap(err, "create manager")
 	}