[Question] - Single reloader with namespace selector and namespace scoped rbac

[jdelucaa]

I would like to have a single instance of the Reloader watching specific namespaces, and I understand it is not possible unless given cluster scoped permissions to list/watch secrets and config maps? That's pretty broad, so I was expecting that by adding the specific namespaces to --namespace-selector and configuring Role and RoleBinding on those specific namespaces would make it work, and that the only cluster scoped permission required would be to list/watch/get namespaces. But it seems that it only works if deploying one instance of the Reloader per namespace and configuring the KUBERNETES_NAMESPACE env var.

Is that correct or am I missing something?