Ability to specify which namespaces policy-controller listens to

[DerekTBrown]

What problem are you trying to solve?

• I have various k8s namespaces that I do not need/want the Linkerd policy-controller or policy-validator to watch/modify.
• There isn't a way to specify which namespaces should/shouldn't be watched.

How should the problem be solved?

• This can be solved by adding a flag to the policy-controller that is passed into the K8s runtime watcher.

Any alternatives you've considered?

• I haven't been able to find a solution, short of maintaining a hard-fork of linkerd.

How would users interact with this feature?

No response

Would you like to work on this feature?

yes

[kflynn]

@DerekTBrown, can you give a little more detail here? Are these namespaces that you want to be unmeshed, or namespaces that you don't want meshed workloads to be able to route to, or... ?

[DerekTBrown]

@DerekTBrown, can you give a little more detail here? Are these namespaces that you want to be unmeshed, or namespaces that you don't want meshed workloads to be able to route to, or... ?

The immediate issue we are seeing is with multiple controllers in conflict. We have a different Gateway API controller that handles HTTPRoute in our clusters. We need a mechanism to indicate which controller is responsible for a given HTTPRoute to avoid the two repeatedly clobbering controllerName and other fields.

A longer-term need for this is to reduce the load on the policy-controller. We have a number of unmeshed workloads that we don't need to be tracked by linkerd.

[DerekTBrown]

Issue on the Gateway API: kubernetes-sigs/gateway-api#3444