I have tried scoping the controller to a specific namespace and that works. But what I am trying to check is if I can scope it cluster wide and give access for resources but only in specific namespaces. I tried, for example, using a kubebuilder marker with namespace=xxxx option to provide access to secrets. eg:
//+kubebuilder:rbac:groups="",namespace=secret-namespace,resources=secrets,verbs=get;list;watch
My controller is then trying to get a secret by name and namespace
req.Client.Get(ctx, types.NamespacedName{Name: "secret-1", Namespace: "secret-namespace"})
This gives an error about controller not having cluster wide permission to get secrets.
If I modify the kubebuilder marker to not have namespace, as :
//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch
it works.
I can also do the same with a controller scoped to the namespace alone, but it will not know of other namespaces. I want to understand why the kubebuilder marker with namespace still tries to get the resource cluster wide? Should I Get the resource in a different way to avoid cluster wide access?