I attempted to leverage controller-runtime as a building block for a component that will watch some specific kind of resource, mostly due to builtin caching / component lifecycle management via default Manager.

What I missed is that Manager does not seem to allow to inject non-default Client eg. https://github.com/kubernetes-sigs/controller-runtime/blob/main/pkg/client/namespaced_client.go that would allow to observe resources in a specific namespace only. My component runs with a service account that has some namespace-scoped permissions, but not cluster-wide permissions, which leads to

E0220 12:56:54.476930      17 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.0/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Workflow: failed to list *v1alpha1.Workflow: workflows.argoproj.io is forbidden: User "XXX" cannot list resource "workflows" in API group "argoproj.io" at the cluster scope

I tried to inject namespace to watch via configuration mentioned here https://github.com/kubernetes-sigs/controller-runtime/issues/2467 with no luck so far.

Is it possible to either:

• inject the namespace to Manager's configuration
• inject non-default Client to the Manager

I am open to other suggestions as well

/kind support

nvm, actually setting the namespace in cache options did work as explained in #1708 (comment)