Run operator with RoleBinding

[caproven]

• Which image of the operator are you using? e.g. registry.opensource.zalan.do/acid/postgres-operator:v1.10.0
• Where do you run it - cloud or metal? Kubernetes or OpenShift? OpenStack Kubernetes
• Are you running Postgres Operator in production? no
• Type of issue? question

I'm trying to run the operator while keeping resources as namespace bound as possible. For configuration I've set watched_namespace: "" to watch the current namespace only. For RBAC, ClusterRoles are required although I'm wondering if the operator can run with a RoleBinding instead of a ClusterRoleBinding.

I've tried changing the postgres-operator CRB to a RB in the example manifests and see the following log messages from the operator:

W0424 19:20:36.158731       1 reflector.go:424] github.com/zalando/postgres-operator/pkg/controller/controller.go:493: failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:default:postgres-operator" cannot list resource "nodes" in API group "" at the cluster scope
E0424 19:20:36.158757       1 reflector.go:140] github.com/zalando/postgres-operator/pkg/controller/controller.go:493: Failed to watch *v1.Node: failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:default:postgres-operator" cannot list resource "nodes" in API group "" at the cluster scope

As the ClusterRole still provides list & watch rules for node resources, I'm not sure what's causing these errors. The operator is still able to function (seemingly) and can create, update, and destroy Postgres clusters.

While I don't believe this is an actively supported configuration, I'd appreciate input on what may be causing these errors or if anyone else has a similar preference for namespace-level resources over cluster-wide ones.

[FxKu]

I have once attempted to support this with #786 but had no support for syncing roles and bindings - maybe we have to set it on our road map again or somebody from the community comes up with a follow up PR.