Restrict queues by namespaces

[dimm0]

Is your feature request related to a problem? Please describe.

I'd like to have a one to one mapping between the queues and namespaces. I want groupA to only submit to queueA which can only create pods in namespaceA, and groupB->queueB->namespaceB.

Describe the solution you'd like

Currently a queue can submit pods to any namespace in the cluster, which is bad both from security point and doesn't provide isolation for groups like the namespaces do if used directly.

Describe alternatives you've considered

A field AllowedNamespaces []string in queue definition that will restrict the queue to only those namespaces

[washcycle]

This would be appreciated from my endpoint as well.

We are using separate namespaces for different teams' workloads, and it would be nice to have a way to restrict a user to a specific namespace(s) when launch jobs.

For my case it doesn't need to be a queue though.

An extra permission for group mappings.

  permissionGroupMapping:
    ...
   - allowed_namespaces:
      - foo
      - bar

would be sufficient for me.