Skip to content

Namespace-scoped Pruner Execution & RBAC Reduction #100

New issue
New issue
Open
Feature
Open
Namespace-scoped Pruner Execution & RBAC Reduction#100
Feature
Labels
kind/featureCategorizes issue or PR as related to a new feature.
Milestone
v0.4.0
@anithapriyanatarajan

Description

@anithapriyanatarajan
anithapriyanatarajan
opened on Dec 8, 2025

Feature request

Feedback from @afrittoli based on observations in the dogfooding cluster.
It would be useful to allow the Tekton pruner to run in a namespaced mode. If a list of namespaces is provided, the pruner should only act on those namespaces and ignore all others.

When such a list is configured, the pruner should not list namespaces cluster-wide. This also means the service account would no longer need permission to list namespaces, since the scope is already known.

The existing behavior should remain unchanged when no namespace list is provided.

Use case

In shared or restricted clusters, teams often want the pruner to clean up Tekton resources only in specific namespaces (for example, CI namespaces). Today, the pruner requires cluster-wide access even when only a few namespaces need to be pruned. This makes it harder to follow the principle of least privilege and increases the overall access granted to the pruner.

A namespaced mode would make it easier to:

  • Limit the pruner’s scope to the intended namespaces
  • Reduce required RBAC permissions
  • Run the pruner safely in multi-tenant or regulated environments

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.

    Type

    Feature

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions