Skip to content

Yarp namespaced Ingress Controller support #2964

New issue
New issue
Open
Open
Yarp namespaced Ingress Controller support#2964
Labels
Kubernetes Ingress ControllerType: IdeaThis issue is a high-level idea for discussion.
@Xulei-NL

Description

@Xulei-NL
Xulei-NL
opened on Oct 15, 2025

What should we add or change to make your life better?

Hi there,

I followed ingress-controller.yaml to set up Yarp Ingress Controlelr for applications. I'm wondering if Yarp is possible to support namespaced Ingress Controller like https://developer.konghq.com/kubernetes-ingress-controller/workspaces/?

I looked at the Yarp Ingress Controller implementation. Currently the implementation uses apis such as ListIngressForAllNamespacesWithHttpMessagesAsync() to list a kind of resources in all namespaces. I think the main change involves invoking C# KubernetesClient to list a give namespaced resource such as ListNamespacedPod("default").

I am also aware of the current design considerations. One approach is to employ fieldSelector to selectively get resources from a given namespace. What's more, my feature request could complicate the implementation where reading more than one namespace resource is required.

Why is this important to you?

I'm using the Yarp Ingress Controller as a replacement for Kong Ingress Controller. In my environment, each namespace runs an isolated application.

I prefer to avoid using clusterrole and clusterrolebinding and let each Yarp read only the namespace I specify.

I regard this Issue as a place to have a broad discussion. I really appreciate any feedback!

Testing

I tried to get around by creating a ServiceAccount and using a RoleBinding to bind the ClusterRole. But it didn't work. See the error logs:

yarp-ingress-c99b49c49-99nvn System.AggregateException: One or more hosted services failed to stop. (Operation returned an invalid status code 'Forbidden', response body {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"endpoints is forbidden: User "system:serviceaccount:dev:restrict-yarp" cannot list resource "endpoints" in API group "" at the cluster scope: Azure does not have opinion for this user.","reason":"Forbidden","details":{"kind":"endpoints"},"code":403}
yarp-ingress-c99b49c49-99nvn ) (Operation returned an invalid status code 'Forbidden', response body {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"services is forbidden: User "system:serviceaccount:dev:restrict-yarp" cannot list resource "services" in API group "" at the cluster scope: Azure does not have opinion for this user.","reason":"Forbidden","details":{"kind":"services"},"code":403}

Metadata

Metadata

Assignees

No one assigned

    Labels

    Kubernetes Ingress ControllerType: IdeaThis issue is a high-level idea for discussion.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions