diff --git a/pkg/comp-functions/functions/vshngarage/deploy.go b/pkg/comp-functions/functions/vshngarage/deploy.go
index e34803e170..5e4da93206 100644
--- a/pkg/comp-functions/functions/vshngarage/deploy.go
+++ b/pkg/comp-functions/functions/vshngarage/deploy.go
@@ -2,6 +2,7 @@ package vshngarage
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 
@@ -71,6 +72,10 @@ func DeployGarage(ctx context.Context, comp *vshnv1.VSHNGarage, svc *runtime.Ser
 		"storageMetadataSpace": comp.Spec.Parameters.Service.MetadataStorage,
 	}
 
+	if err := applyAllowedNamespaces(values, svc.Config.Data["garageAllowedNamespaces"]); err != nil {
+		return runtime.NewFatalResult(err)
+	}
+
 	connectionDetails := []v1beta1.ConnectionDetail{
 		{
 			ObjectReference: corev1.ObjectReference{
@@ -103,3 +108,22 @@ func DeployGarage(ctx context.Context, comp *vshnv1.VSHNGarage, svc *runtime.Ser
 
 	return nil
 }
+
+// applyAllowedNamespaces decodes the JSON array through
+// the comp-functions config key (`garageAllowedNamespaces`) and injects it
+// into the vshngaragecluster chart values.
+// An empty input leaves values untouched, for backwards compatibility.
+// the chart simply skips the GarageReferenceGrant template.
+func applyAllowedNamespaces(values map[string]any, raw string) error {
+	if raw == "" {
+		return nil
+	}
+	var allowed []string
+	if err := json.Unmarshal([]byte(raw), &allowed); err != nil {
+		return fmt.Errorf("cannot parse garageAllowedNamespaces %q: %w", raw, err)
+	}
+	if len(allowed) > 0 {
+		values["allowedNamespaces"] = allowed
+	}
+	return nil
+}
diff --git a/pkg/comp-functions/functions/vshngarage/deploy_test.go b/pkg/comp-functions/functions/vshngarage/deploy_test.go
new file mode 100644
index 0000000000..d45d7566e0
--- /dev/null
+++ b/pkg/comp-functions/functions/vshngarage/deploy_test.go
@@ -0,0 +1,38 @@
+package vshngarage
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestApplyAllowedNamespaces(t *testing.T) {
+	t.Run("empty raw leaves values untouched", func(t *testing.T) {
+		values := map[string]any{"existing": "keep"}
+		require.NoError(t, applyAllowedNamespaces(values, ""))
+		_, present := values["allowedNamespaces"]
+		assert.False(t, present)
+		assert.Equal(t, "keep", values["existing"])
+	})
+
+	t.Run("populated list lands in values", func(t *testing.T) {
+		values := map[string]any{}
+		require.NoError(t, applyAllowedNamespaces(values, `["syn-appcat","team-a"]`))
+		assert.Equal(t, []string{"syn-appcat", "team-a"}, values["allowedNamespaces"])
+	})
+
+	t.Run("empty json array leaves values untouched", func(t *testing.T) {
+		values := map[string]any{}
+		require.NoError(t, applyAllowedNamespaces(values, `[]`))
+		_, present := values["allowedNamespaces"]
+		assert.False(t, present)
+	})
+
+	t.Run("malformed json fails", func(t *testing.T) {
+		values := map[string]any{}
+		err := applyAllowedNamespaces(values, `not-json`)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "cannot parse garageAllowedNamespaces")
+	})
+}