Skip to content

Support dynamic namespace selection via label selector (namespace label selector) #813

Description

@fourhu

Is your feature request related to a problem? Please describe.

Currently, only --namespace-whitelist and --namespace-blacklist startup parameters are supported to restrict which namespaces HAProxy Ingress Controller watches. This requires administrators to manually enumerate allowed namespaces by name. In clusters with many or dynamically changing namespaces, or in multi-tenant environments, this maintenance becomes tedious and error-prone.

Describe the solution you'd like

Add support for dynamic namespace selection via a Kubernetes label selector, exposed as a new startup parameter:

--namespace-label-selector=team=backend

When this option is configured, the controller should watch namespaces matching the selector and dynamically add or remove per-namespace informers when matching namespaces appear, disappear, or stop matching the selector.

This option is mutually exclusive with --namespace-whitelist and --namespace-blacklist.

If either --namespace-whitelist or --namespace-blacklist is configured, --namespace-label-selector should be ignored and the existing whitelist/blacklist behavior should remain unchanged.

Expected behavior

  • With only --namespace-label-selector configured:
    • Watch namespaces matching the selector.
    • Automatically pick up newly created or updated namespaces that match.
    • Stop watching namespaces that no longer match.
  • With --namespace-whitelist or --namespace-blacklist configured:
    • Preserve the existing whitelist/blacklist behavior.
    • Ignore --namespace-label-selector.

Describe alternatives you've considered

  • Manually updating namespace whitelist, which is not scalable.
  • Giving up on namespace scoping, which is not secure in many scenarios.
  • Running multiple controller instances, which adds operational overhead.

Additional context

This is similar in spirit to ingress-nginx's namespace label selector support:

https://kubernetes.github.io/ingress-nginx/user-guide/controller-operations/namespace-label-selector/

This feature would improve operational flexibility for large or dynamic clusters while preserving the existing whitelist/blacklist semantics.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions