An operator can be restricted to handle custom resources in one namespace only:
kopf run --namespace=some-namespace ... kopf run -n some-namespace ...
Multiple namespaces can be served:
kopf run --namespace=some-namespace --namespace=another-namespace ... kopf run -n some-namespace -n another-namespace ...
Namespace globs with
? characters can be used too:
kopf run --namespace=*-pr-123-* ... kopf run -n *-pr-123-* ...
Namespaces can be negated: all namespaces are served except those excluded:
kopf run --namespace=!*-pr-123-* ... kopf run -n !*-pr-123-* ...
Multiple globs can be used in one pattern. The rightmost matching one wins.
The first glob is decisive: if a namespace does not match it, it does not match
the whole pattern regardless of what is there (other globs are not checked).
If the first glob is a negation, it is implied that initially, all namespaces
do match (as if preceded by
*), and then the negated ones are excluded.
In this artificial example,
myapp-live will match,
not match, but
myapp-pr-123 will match;
otherapp-live will not match;
otherapp-pr-123 will not match despite the
-pr-123 suffix in it
because it does not match the initial decisive glob:
kopf run --namespace=myapp-*,!*-pr-*,*-pr-123 ...
In all cases, the operator monitors the namespaces that exist at the startup or are created/deleted at runtime, and starts/stops serving them accordingly.
If there are no permissions to list/watch the namespaces, the operator falls
back to the list of provided namespaces “as is”, assuming they exist.
Namespace patterns do not work in this case; only the specific namespaces do
(which means, all namespaces with the
,*?! characters are excluded).
If a namespace does not exist, Kubernetes permits watching over it anyway. The only difference is when the resource watching starts: if the permissions are sufficient, the watching starts only after the namespace is created; if not sufficient, the watching starts immediately (for an unexistent namespace) and the resources will be served once that namespace is created.
To serve the resources in the whole cluster:
kopf run --all-namespaces ... kopf run -A ...
In that case, the operator does not monitor the namespaces in the cluster, and uses different K8s API URLs to list/watch the objects cluster-wide.