Overview
Allow includeNamespaces / excludeNamespaces in the kubescape-operator
config to accept regex patterns in addition to exact namespace names.
Problem
From a scalable standpoint, it would be nice to create a regex so that we can have dynamic namespaces.
Solution
includeNamespaces: "kube-system" # unchanged, exact match
includeNamespacesRegex: "^team-.*-prod$" # new, RE2 regex
excludeNamespaces: [...]
excludeNamespacesRegex: [...]
A namespace is included if it matches any entry in either list; excluded likewise. Patterns use Go's regexp (RE2) and are compiled once at config load — invalid patterns fail fast with a clear error.
Alternatives
Flux GitOps workaround: a CronJob with namespace list/get RBAC resolves the regex against live cluster state every N minutes and writes the matched names to a ConfigMap. The HelmRelease references it via spec.valuesFrom, so Flux re-renders the chart whenever the list changes.
Additional context
Overview
Allow
includeNamespaces/excludeNamespacesin the kubescape-operatorconfig to accept regex patterns in addition to exact namespace names.
Problem
From a scalable standpoint, it would be nice to create a regex so that we can have dynamic namespaces.
Solution
A namespace is included if it matches any entry in either list; excluded likewise. Patterns use Go's
regexp(RE2) and are compiled once at config load — invalid patterns fail fast with a clear error.Alternatives
Flux GitOps workaround: a CronJob with namespace list/get RBAC resolves the regex against live cluster state every N minutes and writes the matched names to a ConfigMap. The HelmRelease references it via
spec.valuesFrom, so Flux re-renders the chart whenever the list changes.Additional context