Should the GitLab Operator be scoped for cluster or namespace?

Summary

The controller is scoped to namespace and I think with should keep it that way (considering the privileges).

We noted that the controller should be namespace scoped, but we've noticed recent issues (including #209 (closed)) where it seems to reconcile objects outside of its own namespace.

I looked into the OperatorFramework docs on scoping more and found some notes on how to ensure it is properly namespace-scoped.

Details

To change the operator scope, you need to change the ClusterRole to a Role and then update the RBAC markers. Finally, run make manifests to update config/rbac/role.yaml.

Then, ensure to update the WATCH_NAMESPACE so it is updated dynamically rather than being hard-coded.

Checklist if we namespace-scope the Operator:

Our operator is namespace-scoped as defined in the OperatorFramework docs
We confirm that the Operator does not attempt to reconcile CRs in another namespace
We switch from ClusterRole and ClusterRoleBinding to Role and RoleBinding

Acceptance criteria

A decision is made whether to make the Operator namespace-scoped or cluster-scoped (or support both via a configuration toggle) comment
Issue(s) are created to address the decision

Edited Sep 08, 2021 by Dustin Collins