From f4eb25d27f99e7ca7a94756edeb1cfa48c50e3d3 Mon Sep 17 00:00:00 2001
From: Gaelle Fournier <gaelle.fournier.work@gmail.com>
Date: Fri, 10 Nov 2023 14:35:32 +0100
Subject: [PATCH] feat(install): Separate namespaced and descoped rbacs

Ref #3165
---
 config/rbac/descoped/kustomization.yaml       |  38 ++++
 .../operator-cluster-role-binding-events.yaml |  31 +++
 .../operator-cluster-role-binding-keda.yaml   |  31 +++
 ...operator-cluster-role-binding-knative.yaml |  31 +++
 .../operator-cluster-role-binding-leases.yaml |  31 +++
 ...ator-cluster-role-binding-podmonitors.yaml |  31 +++
 ...operator-cluster-role-binding-strimzi.yaml |  31 +++
 .../operator-cluster-role-binding.yaml        |  31 +++
 .../operator-cluster-role-events.yaml         |  34 ++++
 .../descoped/operator-cluster-role-keda.yaml  |  38 ++++
 .../operator-cluster-role-knative.yaml        |  80 ++++++++
 .../operator-cluster-role-leases.yaml         |  37 ++++
 .../operator-cluster-role-podmonitors.yaml    |  37 ++++
 .../operator-cluster-role-strimzi.yaml        |  33 +++
 .../rbac/descoped/operator-cluster-role.yaml  | 188 ++++++++++++++++++
 config/rbac/kustomization.yaml                |  29 ++-
 config/rbac/namespaced/kustomization.yaml     |  38 ++++
 .../operator-role-binding-events.yaml         |   0
 .../operator-role-binding-keda.yaml           |   0
 .../operator-role-binding-knative.yaml        |   0
 .../operator-role-binding-leases.yaml         |   0
 .../operator-role-binding-podmonitors.yaml    |   0
 .../operator-role-binding-strimzi.yaml        |   0
 .../operator-role-binding.yaml                |   0
 .../operator-role-events.yaml                 |   0
 .../{ => namespaced}/operator-role-keda.yaml  |   0
 .../operator-role-knative.yaml                |   0
 .../operator-role-leases.yaml                 |   0
 .../operator-role-podmonitors.yaml            |   0
 .../operator-role-strimzi.yaml                |   0
 .../rbac/{ => namespaced}/operator-role.yaml  |   0
 install/Makefile                              |  10 +-
 install/setup/kustomization.yaml              |  12 --
 pkg/install/operator.go                       | 136 +++++++++----
 34 files changed, 851 insertions(+), 76 deletions(-)
 create mode 100644 config/rbac/descoped/kustomization.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-binding-events.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-binding-keda.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-binding-knative.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-binding-leases.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-binding.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-events.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-keda.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-knative.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-leases.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-podmonitors.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role-strimzi.yaml
 create mode 100644 config/rbac/descoped/operator-cluster-role.yaml
 create mode 100644 config/rbac/namespaced/kustomization.yaml
 rename config/rbac/{ => namespaced}/operator-role-binding-events.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-binding-keda.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-binding-knative.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-binding-leases.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-binding-podmonitors.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-binding-strimzi.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-binding.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-events.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-keda.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-knative.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-leases.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-podmonitors.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role-strimzi.yaml (100%)
 rename config/rbac/{ => namespaced}/operator-role.yaml (100%)

diff --git a/config/rbac/descoped/kustomization.yaml b/config/rbac/descoped/kustomization.yaml
new file mode 100644
index 0000000000..ade2d46ba8
--- /dev/null
+++ b/config/rbac/descoped/kustomization.yaml
@@ -0,0 +1,38 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+#
+# rbac resources applicable for all kubernetes platforms - global operator
+#
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- operator-cluster-role-events.yaml
+- operator-cluster-role-knative.yaml
+- operator-cluster-role.yaml
+- operator-cluster-role-keda.yaml
+- operator-cluster-role-leases.yaml
+- operator-cluster-role-podmonitors.yaml
+- operator-cluster-role-strimzi.yaml
+- operator-cluster-role-binding-events.yaml
+- operator-cluster-role-binding-keda.yaml
+- operator-cluster-role-binding-knative.yaml
+- operator-cluster-role-binding-leases.yaml
+- operator-cluster-role-binding-podmonitors.yaml
+- operator-cluster-role-binding-strimzi.yaml
+- operator-cluster-role-binding.yaml
diff --git a/config/rbac/descoped/operator-cluster-role-binding-events.yaml b/config/rbac/descoped/operator-cluster-role-binding-events.yaml
new file mode 100644
index 0000000000..9dd5228d26
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-binding-events.yaml
@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-events
+  labels:
+    app: "camel-k"
+subjects:
+- kind: ServiceAccount
+  name: camel-k-operator
+  namespace: placeholder
+roleRef:
+  kind: ClusterRole
+  name: camel-k-operator-events
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/descoped/operator-cluster-role-binding-keda.yaml b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml
new file mode 100644
index 0000000000..92e154e878
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-binding-keda.yaml
@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-keda
+  labels:
+    app: "camel-k"
+subjects:
+- kind: ServiceAccount
+  name: camel-k-operator
+  namespace: placeholder
+roleRef:
+  kind: ClusterRole
+  name: camel-k-operator-keda
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/descoped/operator-cluster-role-binding-knative.yaml b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml
new file mode 100644
index 0000000000..739b0dd06a
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-binding-knative.yaml
@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-knative
+  labels:
+    app: "camel-k"
+subjects:
+- kind: ServiceAccount
+  name: camel-k-operator
+  namespace: placeholder
+roleRef:
+  kind: ClusterRole
+  name: camel-k-operator-knative
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/descoped/operator-cluster-role-binding-leases.yaml b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml
new file mode 100644
index 0000000000..35d667fd12
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-binding-leases.yaml
@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-leases
+  labels:
+    app: "camel-k"
+subjects:
+- kind: ServiceAccount
+  name: camel-k-operator
+  namespace: placeholder
+roleRef:
+  kind: ClusterRole
+  name: camel-k-operator-leases
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
new file mode 100644
index 0000000000..bef231b078
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml
@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-podmonitors
+  labels:
+    app: "camel-k"
+subjects:
+- kind: ServiceAccount
+  name: camel-k-operator
+  namespace: placeholder
+roleRef:
+  kind: ClusterRole
+  name: camel-k-operator-podmonitors
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
new file mode 100644
index 0000000000..fefd143525
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-binding-strimzi.yaml
@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-strimzi
+  labels:
+    app: "camel-k"
+subjects:
+- kind: ServiceAccount
+  name: camel-k-operator
+  namespace: placeholder
+roleRef:
+  kind: ClusterRole
+  name: camel-k-operator-strimzi
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/descoped/operator-cluster-role-binding.yaml b/config/rbac/descoped/operator-cluster-role-binding.yaml
new file mode 100644
index 0000000000..83f227d628
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-binding.yaml
@@ -0,0 +1,31 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator
+  labels:
+    app: "camel-k"
+subjects:
+- kind: ServiceAccount
+  name: camel-k-operator
+  namespace: placeholder
+roleRef:
+  kind: ClusterRole
+  name: camel-k-operator
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/descoped/operator-cluster-role-events.yaml b/config/rbac/descoped/operator-cluster-role-events.yaml
new file mode 100644
index 0000000000..1dfd24b01e
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-events.yaml
@@ -0,0 +1,34 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-events
+  labels:
+    app: "camel-k"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - get
+  - list
+  - watch
diff --git a/config/rbac/descoped/operator-cluster-role-keda.yaml b/config/rbac/descoped/operator-cluster-role-keda.yaml
new file mode 100644
index 0000000000..3b3f432ebb
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-keda.yaml
@@ -0,0 +1,38 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-keda
+  labels:
+    app: "camel-k"
+rules:
+- apiGroups:
+  - "keda.sh"
+  resources:
+  - scaledobjects
+  - triggerauthentications
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/rbac/descoped/operator-cluster-role-knative.yaml b/config/rbac/descoped/operator-cluster-role-knative.yaml
new file mode 100644
index 0000000000..305d26b624
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-knative.yaml
@@ -0,0 +1,80 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-knative
+  labels:
+    app: "camel-k"
+rules:
+- apiGroups:
+  - serving.knative.dev
+  resources:
+  - services
+  - routes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - eventing.knative.dev
+  resources:
+  - triggers
+  - brokers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+- apiGroups:
+  - messaging.knative.dev
+  resources:
+  - subscriptions
+  - channels
+  - inmemorychannels
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+- apiGroups:
+  - sources.knative.dev
+  resources:
+  - sinkbindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - patch
diff --git a/config/rbac/descoped/operator-cluster-role-leases.yaml b/config/rbac/descoped/operator-cluster-role-leases.yaml
new file mode 100644
index 0000000000..6ea671bd28
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-leases.yaml
@@ -0,0 +1,37 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-leases
+  labels:
+    app: "camel-k"
+rules:
+- apiGroups:
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/rbac/descoped/operator-cluster-role-podmonitors.yaml b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
new file mode 100644
index 0000000000..2578103c38
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-podmonitors.yaml
@@ -0,0 +1,37 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-podmonitors
+  labels:
+    app: "camel-k"
+rules:
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - podmonitors
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/rbac/descoped/operator-cluster-role-strimzi.yaml b/config/rbac/descoped/operator-cluster-role-strimzi.yaml
new file mode 100644
index 0000000000..9ccea139fd
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role-strimzi.yaml
@@ -0,0 +1,33 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator-strimzi
+  labels:
+    app: "camel-k"
+rules:
+- apiGroups:
+  - "kafka.strimzi.io"
+  resources:
+  - kafkatopics
+  - kafkas
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/rbac/descoped/operator-cluster-role.yaml b/config/rbac/descoped/operator-cluster-role.yaml
new file mode 100644
index 0000000000..d7ee2fa399
--- /dev/null
+++ b/config/rbac/descoped/operator-cluster-role.yaml
@@ -0,0 +1,188 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camel-k-operator
+  labels:
+    app: "camel-k"
+rules:
+- apiGroups:
+  - camel.apache.org
+  resources:
+  - builds
+  - camelcatalogs
+  - integrationkits
+  - integrationplatforms
+  - integrations
+  - pipes
+  # Deprecated: kameletbindings CR
+  - kameletbindings
+  - kamelets
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - camel.apache.org
+  resources:
+  - builds
+  verbs:
+  - delete
+- apiGroups:
+  - camel.apache.org
+  resources:
+  - builds/status
+  - camelcatalogs/status
+  - integrationkits/status
+  - integrationplatforms/status
+  - integrations/scale
+  - integrations/status
+  - pipes/status
+  - pipes/scale
+  # Deprecated: kameletbindings CR
+  - kameletbindings/status
+  - kameletbindings/scale
+  - kamelets/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - endpoints
+  - persistentvolumeclaims
+  - configmaps
+  - secrets
+  - serviceaccounts
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - pods/proxy
+  - pods/log
+  verbs:
+  - get
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - update
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  - clusterrolebindings
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index f2600f1626..5b3e03f558 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -23,23 +23,22 @@ kind: Kustomization
 
 resources:
 - user-cluster-role.yaml
-- operator-role-events.yaml
-- operator-role-knative.yaml
-- operator-role.yaml
-- operator-role-keda.yaml
-- operator-role-leases.yaml
-- operator-role-podmonitors.yaml
-- operator-role-strimzi.yaml
-- operator-role-binding-events.yaml
-- operator-role-binding-keda.yaml
-- operator-role-binding-knative.yaml
-- operator-role-binding-leases.yaml
-- operator-role-binding-local-registry.yaml
-- operator-role-binding-podmonitors.yaml
-- operator-role-binding-strimzi.yaml
-- operator-role-binding.yaml
 - operator-cluster-role-custom-resource-definitions.yaml
 - operator-cluster-role-binding-custom-resource-definitions.yaml
 - operator-cluster-role-addressable-resolver.yaml
 - operator-cluster-role-binding-addressable-resolver.yaml
 - operator-cluster-role-local-registry.yaml
+- operator-role-binding-local-registry.yaml
+
+
+transformers:
+- |-
+  apiVersion: builtin
+  kind: PatchTransformer
+  metadata:
+    name: fix-local-registry-rbac-namespace
+  patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
+  target:
+    group: rbac.authorization.k8s.io
+    kind: RoleBinding
+    name: camel-k-operator-local-registry
\ No newline at end of file
diff --git a/config/rbac/namespaced/kustomization.yaml b/config/rbac/namespaced/kustomization.yaml
new file mode 100644
index 0000000000..510beb4d57
--- /dev/null
+++ b/config/rbac/namespaced/kustomization.yaml
@@ -0,0 +1,38 @@
+# ---------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ---------------------------------------------------------------------------
+
+#
+# rbac resources applicable for all kubernetes platforms - namespaced operator
+#
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- operator-role-events.yaml
+- operator-role-knative.yaml
+- operator-role.yaml
+- operator-role-keda.yaml
+- operator-role-leases.yaml
+- operator-role-podmonitors.yaml
+- operator-role-strimzi.yaml
+- operator-role-binding-events.yaml
+- operator-role-binding-keda.yaml
+- operator-role-binding-knative.yaml
+- operator-role-binding-leases.yaml
+- operator-role-binding-podmonitors.yaml
+- operator-role-binding-strimzi.yaml
+- operator-role-binding.yaml
diff --git a/config/rbac/operator-role-binding-events.yaml b/config/rbac/namespaced/operator-role-binding-events.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-events.yaml
rename to config/rbac/namespaced/operator-role-binding-events.yaml
diff --git a/config/rbac/operator-role-binding-keda.yaml b/config/rbac/namespaced/operator-role-binding-keda.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-keda.yaml
rename to config/rbac/namespaced/operator-role-binding-keda.yaml
diff --git a/config/rbac/operator-role-binding-knative.yaml b/config/rbac/namespaced/operator-role-binding-knative.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-knative.yaml
rename to config/rbac/namespaced/operator-role-binding-knative.yaml
diff --git a/config/rbac/operator-role-binding-leases.yaml b/config/rbac/namespaced/operator-role-binding-leases.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-leases.yaml
rename to config/rbac/namespaced/operator-role-binding-leases.yaml
diff --git a/config/rbac/operator-role-binding-podmonitors.yaml b/config/rbac/namespaced/operator-role-binding-podmonitors.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-podmonitors.yaml
rename to config/rbac/namespaced/operator-role-binding-podmonitors.yaml
diff --git a/config/rbac/operator-role-binding-strimzi.yaml b/config/rbac/namespaced/operator-role-binding-strimzi.yaml
similarity index 100%
rename from config/rbac/operator-role-binding-strimzi.yaml
rename to config/rbac/namespaced/operator-role-binding-strimzi.yaml
diff --git a/config/rbac/operator-role-binding.yaml b/config/rbac/namespaced/operator-role-binding.yaml
similarity index 100%
rename from config/rbac/operator-role-binding.yaml
rename to config/rbac/namespaced/operator-role-binding.yaml
diff --git a/config/rbac/operator-role-events.yaml b/config/rbac/namespaced/operator-role-events.yaml
similarity index 100%
rename from config/rbac/operator-role-events.yaml
rename to config/rbac/namespaced/operator-role-events.yaml
diff --git a/config/rbac/operator-role-keda.yaml b/config/rbac/namespaced/operator-role-keda.yaml
similarity index 100%
rename from config/rbac/operator-role-keda.yaml
rename to config/rbac/namespaced/operator-role-keda.yaml
diff --git a/config/rbac/operator-role-knative.yaml b/config/rbac/namespaced/operator-role-knative.yaml
similarity index 100%
rename from config/rbac/operator-role-knative.yaml
rename to config/rbac/namespaced/operator-role-knative.yaml
diff --git a/config/rbac/operator-role-leases.yaml b/config/rbac/namespaced/operator-role-leases.yaml
similarity index 100%
rename from config/rbac/operator-role-leases.yaml
rename to config/rbac/namespaced/operator-role-leases.yaml
diff --git a/config/rbac/operator-role-podmonitors.yaml b/config/rbac/namespaced/operator-role-podmonitors.yaml
similarity index 100%
rename from config/rbac/operator-role-podmonitors.yaml
rename to config/rbac/namespaced/operator-role-podmonitors.yaml
diff --git a/config/rbac/operator-role-strimzi.yaml b/config/rbac/namespaced/operator-role-strimzi.yaml
similarity index 100%
rename from config/rbac/operator-role-strimzi.yaml
rename to config/rbac/namespaced/operator-role-strimzi.yaml
diff --git a/config/rbac/operator-role.yaml b/config/rbac/namespaced/operator-role.yaml
similarity index 100%
rename from config/rbac/operator-role.yaml
rename to config/rbac/namespaced/operator-role.yaml
diff --git a/install/Makefile b/install/Makefile
index ce329c6d51..a80f5e3da9 100644
--- a/install/Makefile
+++ b/install/Makefile
@@ -241,13 +241,11 @@ endif
 setup: setup-cluster
 # Set the namespace in the setup kustomization yaml
 	@$(call set-kustomize-namespace,$@)
-# If GLOBAL then add the conversion patches for all roles and rolebindings
-ifeq ($(GLOBAL),true)
-	@$(call add-remove-kind-patch,setup,add,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role)
-	@$(call add-remove-kind-patch,setup,add,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding)
+# If GLOBAL then add the versions with clusterroles and clusterrolebindings
+ifeq ($(GLOBAL), true)
+	@cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/descoped && cd - &> /dev/null;
 else
-	@$(call add-remove-kind-patch,setup,remove,../$(ROLE_TO_CROLE_PATCH).$(YAML),Role)
-	@$(call add-remove-kind-patch,setup,remove,../$(ROLEBIN_TO_CROLEBIN_PATCH).$(YAML),RoleBinding)
+	@cd $@ || exit 1 && $(KUSTOMIZE) edit add resource ../$(RBAC)/namespaced && cd - &> /dev/null;
 endif
 ifeq ($(PLATFORM), openshift)
 	@for res in $(RBAC_OS)/operator-role*; do \
diff --git a/install/setup/kustomization.yaml b/install/setup/kustomization.yaml
index 9598726cae..c10dfd6538 100644
--- a/install/setup/kustomization.yaml
+++ b/install/setup/kustomization.yaml
@@ -19,15 +19,3 @@ kind: Kustomization
 
 resources:
 - ../config/rbac
-
-transformers:
-- |-
-  apiVersion: builtin
-  kind: PatchTransformer
-  metadata:
-    name: fix-local-registry-rbac-namespace
-  patch: '[{"op": "replace", "path": "/metadata/namespace", "value": "kube-public"}]'
-  target:
-    group: rbac.authorization.k8s.io
-    kind: RoleBinding
-    name: camel-k-operator-local-registry
diff --git a/pkg/install/operator.go b/pkg/install/operator.go
index 9daf61ee0c..426cf2e223 100644
--- a/pkg/install/operator.go
+++ b/pkg/install/operator.go
@@ -260,7 +260,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
 	}
 
 	// Install Kubernetes RBAC resources (roles and bindings)
-	if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err := installKubernetesRoles(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		return err
 	}
 
@@ -289,7 +289,7 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
 		return err
 	}
 	if isKnative {
-		if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+		if err := installKnative(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 			return err
 		}
 		if err := installClusterRoleBinding(ctx, c, collection, cfg.Namespace, "camel-k-operator-bind-addressable-resolver", "/rbac/operator-cluster-role-binding-addressable-resolver.yaml"); err != nil {
@@ -301,35 +301,35 @@ func OperatorOrCollect(ctx context.Context, cmd *cobra.Command, c client.Client,
 		}
 	}
 
-	if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err = installEvents(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 		fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to publish Kubernetes events. Try installing as cluster-admin to allow it to generate events.")
 	}
 
-	if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err = installKedaBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 		fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create KEDA resources. Try installing as cluster-admin.")
 	}
 
-	if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err = installPodMonitors(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 		fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to create PodMonitor resources. Try installing as cluster-admin.")
 	}
 
-	if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err := installStrimziBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
 		fmt.Fprintln(cmd.ErrOrStderr(), "Warning: the operator will not be able to lookup strimzi kafka resources. Try installing as cluster-admin to allow the lookup of strimzi kafka resources.")
 	}
 
-	if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force); err != nil {
+	if err = installLeaseBindings(ctx, c, cfg.Namespace, customizer, collection, force, cfg.Global); err != nil {
 		if k8serrors.IsAlreadyExists(err) {
 			return err
 		}
@@ -491,12 +491,20 @@ func installOpenShiftRoles(ctx context.Context, c client.Client, namespace strin
 	)
 }
 
-func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/manager/operator-service-account.yaml",
-		"/rbac/operator-role.yaml",
-		"/rbac/operator-role-binding.yaml",
-	)
+func installKubernetesRoles(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/manager/operator-service-account.yaml",
+			"/rbac/descoped/operator-cluster-role.yaml",
+			"/rbac/descoped/operator-cluster-role-binding.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/manager/operator-service-account.yaml",
+			"/rbac/namespaced/operator-role.yaml",
+			"/rbac/namespaced/operator-role-binding.yaml",
+		)
+	}
 }
 
 func installOperator(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
@@ -505,39 +513,74 @@ func installOperator(ctx context.Context, c client.Client, namespace string, cus
 	)
 }
 
-func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-keda.yaml",
-		"/rbac/operator-role-binding-keda.yaml",
-	)
+func installKedaBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-keda.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-keda.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-keda.yaml",
+			"/rbac/namespaced/operator-role-binding-keda.yaml",
+		)
+	}
 }
 
-func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-knative.yaml",
-		"/rbac/operator-role-binding-knative.yaml",
-	)
+func installKnative(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-knative.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-knative.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-knative.yaml",
+			"/rbac/namespaced/operator-role-binding-knative.yaml",
+		)
+	}
 }
 
-func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-events.yaml",
-		"/rbac/operator-role-binding-events.yaml",
-	)
+func installEvents(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-cluster-role-events.yaml",
+			"/rbac/namespaced/operator-cluster-role-binding-events.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-events.yaml",
+			"/rbac/namespaced/operator-role-binding-events.yaml",
+		)
+	}
 }
 
-func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-podmonitors.yaml",
-		"/rbac/operator-role-binding-podmonitors.yaml",
-	)
+func installPodMonitors(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-podmonitors.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-podmonitors.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-podmonitors.yaml",
+			"/rbac/namespaced/operator-role-binding-podmonitors.yaml",
+		)
+	}
 }
 
-func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-strimzi.yaml",
-		"/rbac/operator-role-binding-strimzi.yaml",
-	)
+func installStrimziBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-strimzi.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-strimzi.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-strimzi.yaml",
+			"/rbac/namespaced/operator-role-binding-strimzi.yaml",
+		)
+	}
 }
 
 func installMonitoringResources(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
@@ -547,11 +590,18 @@ func installMonitoringResources(ctx context.Context, c client.Client, namespace
 	)
 }
 
-func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool) error {
-	return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
-		"/rbac/operator-role-leases.yaml",
-		"/rbac/operator-role-binding-leases.yaml",
-	)
+func installLeaseBindings(ctx context.Context, c client.Client, namespace string, customizer ResourceCustomizer, collection *kubernetes.Collection, force bool, global bool) error {
+	if global {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/descoped/operator-cluster-role-leases.yaml",
+			"/rbac/descoped/operator-cluster-role-binding-leases.yaml",
+		)
+	} else {
+		return ResourcesOrCollect(ctx, c, namespace, collection, force, customizer,
+			"/rbac/namespaced/operator-role-leases.yaml",
+			"/rbac/namespaced/operator-role-binding-leases.yaml",
+		)
+	}
 }
 
 // NewPlatform creates a new IntegrationPlatform instance.