KEP: Centralized Namespace Management Across ManagedClusterSets #146
Description
This enhancement introduces a global mechanism for defining and managing namespaces on Managed Clusters directly from the hub. The proposal creates a new CRD API for "Global Namespaces" that span all clusters within a ManagedClusterSet, enabling centralized application of Kubernetes access controls through ClusterPermissions. This addresses the current limitation where ManifestWork and ClusterPermission resources must be managed separately and independently, providing a more streamlined approach for multi-cluster governance and security consistency.
The key benefits include automatic and consistent namespace creation across all managed clusters in a set, simplified security management at scale, and improved support for workloads like Virtual Machines that require namespace consistency for migration and visibility. The enhancement is specifically designed to work with existing RBAC tooling while avoiding management of system namespaces. The proposal includes user stories for creating and deleting Global Namespaces, with considerations for handling existing namespaces and deletion strategies. This enhancement fills a gap in the current architecture by providing a unified approach to namespace management that's tightly integrated with ManagedClusterSet boundaries.