Can any Gateway controllers be deployed with only limited access to Secrets?

[robscott]

As far as I can tell, most Gateway and Ingress controllers today are deployed with read access to all secrets in the cluster.

For example, Contour has a creative solution with Ingress and their custom APIs that could allow you to create namespace(s) just for TLS Certs and only expose those to Contour. The same high level pattern could be achieved with ReferenceGrant in Gateway API.

With that said, any of these approaches would need to be paired with some kind of controller level flag to only read Secrets from certain namespace(s). I can't find any evidence of that kind of config existing in Gateway or Ingress controllers, but it would be very cool if it did.

For context, @enj and I are looking for controllers that we can feature in our KubeCon talk, so if you know of any controllers that either already support something like this or have plans to, we'd love to hear about it.

[howardjohn]

Istio control plane can read from all namespaces or none, but not a list or arbitrary ones/etc. But it also reads secrets for other reasons beyond Gateway anyways

The data plane only has access to the ones configured by ReferenceGrant though.

[sunjayBhatia]

Contour also supports another option to limit the namespaces it will watch for all resources from: https://projectcontour.io/docs/1.28/config/api/#projectcontour.io/v1alpha1.ContourSettings (the watchNamespaces option/flag)

this isn't limited to Secrets though so maybe not exactly what you're looking for

[youngnick]

Cilium has two components, an operator (only actuates Kubernetes objects, runs as a Deployment), and an agent (runs on each node and exposes an xDS control plane to the per-node proxies).

The Operator synchronizes all Secrets referenced in Ingress or Gateway API config to a special namespace, and the Agent only has access to read secrets in that namespace. This way, the agent's read scope is limited.

That said, if the new ReferenceGrant were available, we'd consider it.