Operator appears to need cluster scope permissions so can't be in own namespace?

[flickerfly]

Description

I have created a CSV and deployed the operator using that and the roles, service account and role binding in the deploy/ directory. I have deployed it into an operatorgroup having one namespace in it.

Upon doing that I see constant errors in the logs, presumably as it looks for the gitea CRs to act on.

Expected Behavior

Operator deploys without permission problems

Actual Behavior

Operator logs show this as soon as it is deployed.

E0206 12:27:37.686923       1 reflector.go:205] github.com/integr8ly/gitea-operator/vendor/sigs.k8s.io/controller-runtime/pkg/cache/internal/informers_map.go:126: 
Failed to list *v1alpha1.Gitea: giteas.integreatly.org is forbidden: 
User "system:serviceaccount:playground:gitea-operator" cannot list giteas.integreatly.org at the cluster scope: 
no RBAC policy matched

Environment

• Operating system: (E.g RHEL 7.6 )
• OpenShift version:
  ~$ oc version
  oc v3.11.0+0cbc58b
  kubernetes v1.11.0+d4cacc0
  features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://ose.cms.solute.us:8443
openshift v3.11.154
kubernetes v1.11.0+d4cacc

• OLM version
  upgraded OpenShift 3.11 to use 0.12.0, functioning well with multiple other operators including our own.
• Project Version/Tag: (E.g release-1.0.1)
  06b13cd (tag: v0.0.5)

Steps to reproduce

Create OperatorGroup

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: playground
  namespace: playground
  spec:
    targetNamespaces:
    - playground

Create RBAC requirements

oc create -f deploy/roles.yaml
oc create -f deploy/role_binding.yaml
oc create -f deploy/service_account.yaml

Create CSV in playground namespace
oc create -f gitea.csv -n playground

apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
  annotations:
    capabilities: Basic Install
  name: gitea-operator.v0.0.5
  namespace: placeholder
spec:
  apiservicedefinitions: {}
  customresourcedefinitions:
    owned:
    - kind: Gitea
      name: giteas.integreatly.org
      version: v1alpha1
      displayName: Gitea
      description: Provides one managed Gitea instance per CR, deleted upon deletion of the CR.
  description: An Operator that installs Gitea. Installation is performed by creating a custom resource of kind Gitea. You can uninstall Gitea by removing this resource. The Operator will also watch all Gitea resources and reinstall them if they are deleted.
  displayName: Gitea Operator
  install:
    spec:
      deployments:
      - name: gitea-operator
        spec:
          replicas: 1
          selector:
            matchLabels:
              name: gitea-operator
          strategy: {}
          template:
            metadata:
              labels:
                name: gitea-operator
            spec:
              containers:
              - command:
                - gitea-operator
                env:
                - name: WATCH_NAMESPACE
                  valueFrom:
                    fieldRef:
                      fieldPath: metadata.annotations['olm.targetNamespaces']
                - name: POD_NAME
                  valueFrom:
                    fieldRef:
                      fieldPath: metadata.name
                - name: OPERATOR_NAME
                  value: gitea-operator
                - name: TEMPLATE_PATH
                  value: /usr/local/bin/templates
                image: quay.io/integreatly/gitea-operator:master
                imagePullPolicy: Always
                name: gitea-operator
                ports:
                - containerPort: 60000
                  name: metrics
                resources: {}
              serviceAccountName: gitea-operator
      permissions:
      - rules:
        - apiGroups:
          - ""
          resources:
          - pods
          - services
          - endpoints
          - persistentvolumeclaims
          - events
          - configmaps
          - secrets
          - serviceaccounts
          verbs:
          - '*'
        - apiGroups:
          - apps
          resources:
          - deployments
          - daemonsets
          - replicasets
          - statefulsets
          verbs:
          - '*'
        - apiGroups:
          - monitoring.coreos.com
          resources:
          - servicemonitors
          verbs:
          - get
          - create
        - apiGroups:
          - integreatly.org
          resources:
          - '*'
          verbs:
          - '*'
        - apiGroups:
          - route.openshift.io
          resources:
          - routes
          - routes/custom-host
          verbs:
          - '*'
        - apiGroups:
          - extensions
          resources:
          - ingresses
          verbs:
          - '*'
        serviceAccountName: gitea-operator
    strategy: deployment
  installModes:
  - supported: true
    type: OwnNamespace
  - supported: true
    type: SingleNamespace
  - supported: false
    type: MultiNamespace
  - supported: true
    type: AllNamespaces
  maturity: alpha
  provider: {}
  version: 0.0.5

Check out the logs
oc logs $(oc get pods -l name=gitea-operator -n playground -o=custom-columns="name:.metadata.name" --no-headers)