Add namespaced isolation mode for cluster-scoped objects (#394)

Author: xrstf

Makefile

@@ -97,7 +97,8 @@ OS := $(shell go env GOOS)
 KUBE_MAJOR_VERSION := 1
 KUBE_MINOR_VERSION := $(shell go mod edit -json | jq '.Require[] | select(.Path == "k8s.io/client-go") | .Version' --raw-output | sed "s/v[0-9]*\.\([0-9]*\).*/\1/")
 GIT_COMMIT := $(shell git rev-parse --short HEAD || echo 'local')
-GIT_DIRTY := $(shell git diff --quiet && echo 'clean' || echo 'dirty')
+# --quiet would still produces output when files are deleted
+GIT_DIRTY := $(shell git diff --quiet >/dev/null && echo 'clean' || echo 'dirty')
 GIT_VERSION := $(shell go mod edit -json | jq '.Require[] | select(.Path == "k8s.io/client-go") | .Version' --raw-output | sed 's/v0/v1/')+kube-bind-$(shell git describe --tags --match='v*' --abbrev=14 "$(GIT_COMMIT)^{commit}" 2>/dev/null || echo v0.0.0-$(GIT_COMMIT))
 BUILD_DATE := $(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
 LDFLAGS := \

README.md

@@ -26,7 +26,7 @@ $ kubectl krew index add bind https://github.com/kube-bind/krew-index.git
 $ kubectl krew install bind/bind
 $ kubectl bind login https://mangodb
 $ kubectl bind
-Redirect to the brower to authenticate via OIDC.
+Redirect to the browser to authenticate via OIDC.
 BOOM – the MangoDB API is available in the local cluster,
        without anything MangoDB-specific running.
 $ kubectl get mangodbs

backend/controllers/serviceexportrequest/serviceexportrequest_reconcile.go

@@ -163,6 +163,14 @@ func (r *reconciler) ensureBoundSchemas(ctx context.Context, cl client.Client, c
 					continue
 				}
 
+				// If namespaced isolation is configured for cluster-scoped objects,
+				// we need to rewrite the BoundSchema's scope accordingly. For all
+				// other isolation strategies, as well as for namespaced schemas,
+				// no changes are necessary.
+				if boundSchema.Spec.Scope == apiextensionsv1.NamespaceScoped && r.clusterScopedIsolation == kubebindv1alpha2.IsolationNamespaced {
+					boundSchema.Spec.Scope = apiextensionsv1.ClusterScoped
+				}
+
 				if err := r.createBoundSchema(ctx, cl, boundSchema); err != nil {
 					return err
 				}

backend/oidc/oidc.go

@@ -91,7 +91,7 @@ func (s *Server) Config(callbackURL, issuerURL string) (*Config, error) {
 	c := &Config{
 		ClientID:     s.server.Config().ClientID,
 		ClientSecret: s.server.Config().ClientSecret,
-		Issuer:       issuerURL, // This overrided default fake OIDC issuer URL. Must match what it is served at.
+		Issuer:       issuerURL, // This overrides default fake OIDC issuer URL. Must match what it is served at.
 
 		AccessTTL:  s.server.Config().AccessTTL,
 		RefreshTTL: s.server.Config().RefreshTTL,

cli/cmd/kubectl-bind/cmd/kubectlBind_test.go

@@ -30,7 +30,7 @@ func TestKubectlBindCommand(t *testing.T) {
 
 	require.Equal(t, "kubectl-bind", rootCmd.Use, "Unexpected one-line command description")
 	require.Equal(t, "kubectl plugin for kube-bind, bind different remote types into the current cluster.", rootCmd.Short, "Unexpected short command description")
-	require.Contains(t, rootCmd.Long, "To bind a remote service, use the 'kubectl bind' command.", "Unexpected lond command Long")
+	require.Contains(t, rootCmd.Long, "To bind a remote service, use the 'kubectl bind' command.", "Unexpected long command")
 	require.Equal(t, rootCmd.Example, fmt.Sprintf(bindcmd.BindExampleUses, "kubectl"), "Unexpected command Example")
 }
 

cli/pkg/kubectl/bind-login/plugin/login.go

@@ -58,7 +58,7 @@ type LoginOptions struct {
 }
 
 // TokenResponse represents the response from the OAuth callback
-// Important: this stuct must match one on backend/auth/types.go
+// Important: this struct must match one on backend/auth/types.go
 type TokenResponse struct {
 	// OAuth2 token fields
 	AccessToken  string    `json:"access_token"`

contrib/kcp/go.mod

@@ -14,7 +14,7 @@ replace (
 // Can use versioned when v0.28.2 releases
 replace github.com/kcp-dev/kcp/sdk => github.com/kcp-dev/kcp/sdk v0.28.1-0.20251003164010-742ce0ea6b8c
 
-// k/k 1.34 is leaking from main repo. This pins some deps to force depdendency tree to be on 1.34
+// k/k 1.34 is leaking from main repo. This pins some deps to force dependency tree to be on 1.34
 replace (
 	github.com/google/gnostic-models => github.com/google/gnostic-models v0.6.9
 	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff

contrib/kcp/test/e2e/kcp_test.go

@@ -155,7 +155,7 @@ func testKcpIntegration(t *testing.T, name string, scope kubebindv1alpha2.Inform
 	// Can assume that the last entry is now the cluster-id, grab it and
 	// sanity check that it's not empty
 	providerClusterID := providerClusterSplit[len(providerClusterSplit)-1]
-	require.NotEmpty(t, providerClusterID, "Retreived cluster id is empty, source URL: %s", providerCluster.Status.URL)
+	require.NotEmpty(t, providerClusterID, "Retrieved cluster id is empty, source URL: %s", providerCluster.Status.URL)
 
 	// kube-bind process
 	t.Log("Perform binding process with browser")

docs/content/usage/.pages

@@ -1,2 +1,4 @@
 nav:
-    - api-concepts.md
+    - index.md
+    - api-concepts.md
+    - synchronization.md

docs/content/usage/index.md

@@ -14,60 +14,72 @@ This section provides comprehensive documentation on how to use kube-bind's core
 kube-bind operates on three fundamental concepts:
 
 ### Service Provider
+
 The cluster that **exports** APIs and resources, making them available for other clusters to consume. Service providers create templates and handle permission claims.
 
-### Service Consumer  
+### Service Consumer
+
 The cluster that **imports** and uses APIs from service providers. Consumers bind to templates and get access to resources through a secure, controlled process.
 
 ### Konnector Agent
+
 The component that establishes and maintains the secure connection between provider and consumer clusters, synchronizing resources and handling permissions.
 
 ## Key API Types
 
 ### APIServiceExportTemplate
+
 **Purpose**: Defines a reusable service template that groups related CRDs and permission claims.
 **Used by**: Service providers
 **Scope**: Template definition for multiple consumers
 
 ### APIServiceExport
+
 **Purpose**: Represents an active export of a specific CRD to consumer clusters.
 **Used by**: Automatically created by konnector agents
 **Scope**: Per-CRD export instance
 
 ### APIServiceExportRequest
+
 **Purpose**: Consumer's request to bind to a specific service template.
 **Used by**: Service consumers (via CLI/UI)
 **Scope**: Per-binding request
 
 ### APIServiceNamespace
+
 **Purpose**: Manages namespace mapping and isolation between provider and consumer clusters.
 **Used by**: Automatically managed by konnector agents
 **Scope**: Per-namespace sync
 
 ## Documentation Structure
 
 ### [API Concepts](api-concepts.md)
+
 Deep dive into the core API types, their relationships, and how they work together in the kube-bind ecosystem.
 
 ### [Template References](template-references.md)
+
 Advanced guide for using dynamic resource selection through references in templates.
 
 ## Common Workflows
 
 ### For Service Providers
+
 1. **Create templates** defining what APIs and resources to export, including permission claims
 2. **Implement service** to act on the synced/bound objects so it can be returned to the consumer/user.
 
-### For Service Consumers  
+### For Service Consumers
+
 1. **Authenticate** to the kube-bind backend
 1. **Discover available templates** through the web UI or CLI
 2. **Request bindings** to specific templates
 3. **Authenticate and authorize** access through OAuth2 flows
 4. **Use imported APIs** in their local cluster
 
 ### For Platform Operators
+
 1. **Deploy kube-bind infrastructure** on both provider and consumer sides (if using GitOps)
-2. **Configure authentication** and security policies  
+2. **Configure authentication** and security policies
 3. **Monitor connections** and resource synchronization
 
 ## Getting Started
@@ -79,9 +91,9 @@ If you're new to kube-bind:
 3. **Explore [Template References](template-references.md)** for advanced use cases
 4. **Check the [Reference Documentation](../reference/)** for complete API specifications
 
-
 The konnector agents establish a secure, authenticated connection that allows:
+
 - **API schema synchronization** from provider to consumer
 - **Resource data flow** based on permission claims
 - **Namespace isolation** and mapping
-- **Authentication and authorization** enforcement
+- **Authentication and authorization** enforcement