Feat: Emit Events on the controller Pod instead of cluster-scoped Bundle #750
Description
Summary
trust-manager currently records Kubernetes Events against the cluster-scoped Bundle resource. Because the involved object is cluster-scoped, Events are created in the default namespace (as per Kubernetes guidance). With the new trust-manager feature add ability to limit the target namespaces managed, the controller may not have permissions to write Events in default. This leads to Event creation failures/noise. I propose switching to emitting Events on the trust-manager Pod (namespaced) so Event writes always happen in the operator’s own namespace where it has RBAC.
Problem
- Today: Events for Bundle actions are emitted with involvedObject=Bundle/..., stored in the default namespace
- In restricted environments using the target-namespaces feature, trust-manager may not have create permissions for Events in default (and default may not be in the targetlist at all)
- Result: Event writes fail, causing warning logs and loss of operational signals, or requiring broader-than-necessary RBAC in default
Proposed change
Emit Events against the trust-manager Pod (namespaced), ensuring:
- Events are created in the same namespace where trust-manager runs (and where it already has RBAC)