armada icon indicating copy to clipboard operation
armada copied to clipboard
verified publisher icon armadaproject

Restrict queues by namespaces

Open dimm0 opened this issue 3 months ago • 1 comments

Is your feature request related to a problem? Please describe.

I'd like to have a one to one mapping between the queues and namespaces. I want groupA to only submit to queueA which can only create pods in namespaceA, and groupB->queueB->namespaceB.

Describe the solution you'd like

Currently a queue can submit pods to any namespace in the cluster, which is bad both from security point and doesn't provide isolation for groups like the namespaces do if used directly.

Describe alternatives you've considered

A field AllowedNamespaces []string in queue definition that will restrict the queue to only those namespaces

dimm0 avatar Sep 11 '25 18:09 dimm0

This would be appreciated from my endpoint as well.

We are using separate namespaces for different teams' workloads, and it would be nice to have a way to restrict a user to a specific namespace(s) when launch jobs.

For my case it doesn't need to be a queue though.

An extra permission for group mappings.

  permissionGroupMapping:
    ...
   - allowed_namespaces:
      - foo
      - bar

would be sufficient for me.

washcycle avatar Sep 11 '25 18:09 washcycle