diff --git a/charts/aws-pca-issuer/values.yaml b/charts/aws-pca-issuer/values.yaml
index e93ec97e..747cc4b2 100644
--- a/charts/aws-pca-issuer/values.yaml
+++ b/charts/aws-pca-issuer/values.yaml
@@ -31,7 +31,6 @@ service:
   type: ClusterIP
   port: 8080
 
-
 # Options for configuring a target ServiceAccount with the role to approve
 # all awspca.cert-manager.io requests.
 approverRole:
diff --git a/main.go b/main.go
index 0c4b6d8a..80365e24 100644
--- a/main.go
+++ b/main.go
@@ -53,6 +53,7 @@ func init() {
 
 func main() {
 	var metricsAddr string
+	var restrictToNamespace string
 	var enableLeaderElection bool
 	var probeAddr string
 	var disableApprovedCheck bool
@@ -64,6 +65,8 @@ func main() {
 			"Enabling this will ensure there is only one active controller manager.")
 	flag.BoolVar(&disableApprovedCheck, "disable-approved-check", false,
 		"Disables waiting for CertificateRequests to have an approved condition before signing.")
+	flag.StringVar(&restrictToNamespace, "restrict-to-namespace", os.Getenv("RESTRICT_TO_NAMESPACE"), 
+		"Restrict the controller to only process CertificateRequests in a specific namespace.")
 
 	opts := zap.Options{
 		Development: false,
@@ -80,6 +83,7 @@ func main() {
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "b858308c.awspca.cert-manager.io",
+		Namespace:              restrictToNamespace,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
@@ -93,6 +97,7 @@ func main() {
 		Recorder:          mgr.GetEventRecorderFor("awspcaissuer-controller"),
 		GetCallerIdentity: true,
 	}
+
 	if err = (&controllers.AWSPCAIssuerReconciler{
 		Client:            mgr.GetClient(),
 		Log:               ctrl.Log.WithName("controllers").WithName("AWSPCAIssuer"),
@@ -102,15 +107,21 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "AWSPCAIssuer")
 		os.Exit(1)
 	}
-	if err = (&controllers.AWSPCAClusterIssuerReconciler{
-		Client:            mgr.GetClient(),
-		Log:               ctrl.Log.WithName("controllers").WithName("AWSPCAClusterIssuer"),
-		Scheme:            mgr.GetScheme(),
-		GenericController: genericIssuerController,
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "AWSPCAClusterIssuer")
-		os.Exit(1)
+
+	if restrictToNamespace != "" {
+		setupLog.Info("restricting controller to namespace, disable AWSPCAClusterIssuer controller", "namespace", restrictToNamespace)
+	} else {
+		if err = (&controllers.AWSPCAClusterIssuerReconciler{
+			Client:            mgr.GetClient(),
+			Log:               ctrl.Log.WithName("controllers").WithName("AWSPCAClusterIssuer"),
+			Scheme:            mgr.GetScheme(),
+			GenericController: genericIssuerController,
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "AWSPCAClusterIssuer")
+			os.Exit(1)
+		}
 	}
+
 	if err = (&controllers.CertificateRequestReconciler{
 		Client:   mgr.GetClient(),
 		Log:      ctrl.Log.WithName("controllers").WithName("CertificateRequest"),