When having opa-kube-mgmt watching ConfigMaps from .Release.Namespace only, Role and RoleBinding should be more than enough to operate; not clear why it also requires to get/list/watch namespaces.
Using ClusterRole and ClusterRoleBinding when not needed is a security concern and do not respect namespaces isolation.
When having opa-kube-mgmt watching ConfigMaps from .Release.Namespace only, Role and RoleBinding should be more than enough to operate; not clear why it also requires to get/list/watch namespaces.
Using ClusterRole and ClusterRoleBinding when not needed is a security concern and do not respect namespaces isolation.