emberstack · winromulus · Apr 24, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/README.md b/README.md
@@ -79,11 +79,13 @@ $ kubectl -n kube-system apply -f https://github.com/emberstack/kubernetes-refle
 
   - Add `reflector.v1.k8s.emberstack.com/reflection-allowed: "true"` to the resource annotations to permit reflection to mirrors.
   - Add `reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "<list>"` to the resource annotations to permit reflection from only the list of comma separated namespaces or regular expressions. Note: If this annotation is omitted or is empty, all namespaces are allowed.
+  - Add `reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces-selector: "<selector>"` to the resource annotations to permit reflection only to namespaces matching the given Kubernetes label selector (e.g. `env=production`, `team in (a,b)`). If both this and `reflection-allowed-namespaces` are set, a namespace matches if it satisfies either condition.
 
   #### Automatic mirror creation:
   Reflector can create mirrors with the same name in other namespaces automatically. The following annotations control if and how the mirrors are created:
   - Add `reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"` to the resource annotations to automatically create mirrors in other namespaces. Note: Requires `reflector.v1.k8s.emberstack.com/reflection-allowed` to be `true` since mirrors need to able to reflect the source.
   - Add `reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "<list>"` to the resource annotations specify in which namespaces to automatically create mirrors. Note: If this annotation is omitted or is empty, all namespaces are allowed. Namespaces in this list will also be checked by `reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces` since mirrors need to be in namespaces from where reflection is permitted.
+  - Add `reflector.v1.k8s.emberstack.com/reflection-auto-namespaces-selector: "<selector>"` to the resource annotations to select namespaces for automatic mirrors using a Kubernetes label selector. If both this and `reflection-auto-namespaces` are set, a namespace matches if it satisfies either condition.
 
   > Important: If the `source` is deleted, automatic mirrors are deleted. Also if either reflection or automirroring is turned off or the automatic mirror's namespace is no longer a valid match for the allowed namespaces, the automatic mirror is deleted.
 
@@ -98,10 +100,11 @@ $ kubectl -n kube-system apply -f https://github.com/emberstack/kubernetes-refle
     annotations:
       reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
       reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces-selector: "env=production"
   data:
     ...
   ```
-  
+
   Example source configmap:
    ```yaml
   apiVersion: v1
@@ -111,10 +114,11 @@ $ kubectl -n kube-system apply -f https://github.com/emberstack/kubernetes-refle
     annotations:
       reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
       reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "namespace-1,namespace-2,namespace-[0-9]*"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces-selector: "env=production"
   data:
     ...
   ```
-  
+
 ### 2. Annotate the mirror secret or configmap
 
   - Add `reflector.v1.k8s.emberstack.com/reflects: "<source namespace>/<source name>"` to the mirror object. The value of the annotation is the full name of the source object in `namespace/name` format.

diff --git a/src/ES.Kubernetes.Reflector/ES.Kubernetes.Reflector.csproj b/src/ES.Kubernetes.Reflector/ES.Kubernetes.Reflector.csproj
@@ -8,6 +8,10 @@
 		<ServerGarbageCollection>false</ServerGarbageCollection>
 	</PropertyGroup>
 
+	<ItemGroup>
+		<InternalsVisibleTo Include="ES.Kubernetes.Reflector.Tests" />
+	</ItemGroup>
+
 	<ItemGroup>
 		<PackageReference Include="ES.FX.Ignite" />
 		<PackageReference Include="ES.FX.Ignite.OpenTelemetry.Exporter.Seq" />

diff --git a/src/ES.Kubernetes.Reflector/Mirroring/Core/Annotations.cs b/src/ES.Kubernetes.Reflector/Mirroring/Core/Annotations.cs
@@ -8,8 +8,10 @@ public static class Reflection
     {
         public static string Allowed => $"{Prefix}/reflection-allowed";
         public static string AllowedNamespaces => $"{Prefix}/reflection-allowed-namespaces";
+        public static string AllowedNamespacesSelector => $"{Prefix}/reflection-allowed-namespaces-selector";
         public static string AutoEnabled => $"{Prefix}/reflection-auto-enabled";
         public static string AutoNamespaces => $"{Prefix}/reflection-auto-namespaces";
+        public static string AutoNamespacesSelector => $"{Prefix}/reflection-auto-namespaces-selector";
         public static string Reflects => $"{Prefix}/reflects";
 
 

diff --git a/src/ES.Kubernetes.Reflector/Mirroring/Core/MirroringProperties.cs b/src/ES.Kubernetes.Reflector/Mirroring/Core/MirroringProperties.cs
@@ -7,8 +7,10 @@ public class MirroringProperties
 {
     public bool Allowed { get; set; }
     public string AllowedNamespaces { get; set; } = string.Empty;
+    public string AllowedNamespacesSelector { get; set; } = string.Empty;
     public bool AutoEnabled { get; set; }
     public string AutoNamespaces { get; set; } = string.Empty;
+    public string AutoNamespacesSelector { get; set; } = string.Empty;
     public NamespacedName? Reflects { get; set; }
 
     public string ResourceVersion { get; set; } = string.Empty;