Scopes
Namespaces
An operator can be restricted to handle custom resources in one namespace only:
kopf run --namespace=some-namespace ...
kopf run -n some-namespace ...
Multiple namespaces can be served:
kopf run --namespace=some-namespace --namespace=another-namespace ...
kopf run -n some-namespace -n another-namespace ...
Namespace globs with *
and ?
characters can be used too:
kopf run --namespace=*-pr-123-* ...
kopf run -n *-pr-123-* ...
Namespaces can be negated: all namespaces are served except those excluded:
kopf run --namespace=!*-pr-123-* ...
kopf run -n !*-pr-123-* ...
Multiple globs can be used in one pattern. The rightmost matching one wins.
The first glob is decisive: if a namespace does not match it, it does not match
the whole pattern regardless of what is there (other globs are not checked).
If the first glob is a negation, it is implied that initially, all namespaces
do match (as if preceded by *
), and then the negated ones are excluded.
In this artificial example, myapp-live
will match, myapp-pr-456
will
not match, but myapp-pr-123
will match; otherapp-live
will not match;
even otherapp-pr-123
will not match despite the -pr-123
suffix in it
because it does not match the initial decisive glob:
kopf run --namespace=myapp-*,!*-pr-*,*-pr-123 ...
In all cases, the operator monitors the namespaces that exist at the startup or are created/deleted at runtime, and starts/stops serving them accordingly.
If there are no permissions to list/watch the namespaces, the operator falls
back to the list of provided namespaces “as is”, assuming they exist.
Namespace patterns do not work in this case; only the specific namespaces do
(which means, all namespaces with the ,*?!
characters are excluded).
If a namespace does not exist, Kubernetes permits watching over it anyway. The only difference is when the resource watching starts: if the permissions are sufficient, the watching starts only after the namespace is created; if not sufficient, the watching starts immediately (for an unexistent namespace) and the resources will be served once that namespace is created.
Cluster-wide
To serve the resources in the whole cluster:
kopf run --all-namespaces ...
kopf run -A ...
In that case, the operator does not monitor the namespaces in the cluster, and uses different K8s API URLs to list/watch the objects cluster-wide.