feat: reduce the permission of restricted mode (#75)

Co-authored-by: Jiaming Hu <[email protected]>

Author: ibm-ci-bot

bundle-restricted/manifests/ibm-namespace-scope-operator-restricted.clusterserviceversion.yaml

@@ -115,7 +115,13 @@ spec:
           resources:
           - '*'
           verbs:
-          - '*'
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         serviceAccountName: ibm-namespace-scope-operator
     strategy: deployment
   installModes:

controllers/namespacescope_controller.go

@@ -700,7 +700,16 @@ func (r *NamespaceScopeReconciler) checkNamespaceAdminAuth(namespace string) boo
 
 func (r *NamespaceScopeReconciler) getValidatedNamespaces(instance *operatorv1.NamespaceScope) ([]string, error) {
 	var validatedNs []string
+	operatorNs, err := util.GetOperatorNamespace()
+	if err != nil {
+		klog.Error("get operator namespace failed: ", err)
+		return validatedNs, err
+	}
 	for _, nsMem := range instance.Spec.NamespaceMembers {
+		if nsMem == operatorNs {
+			validatedNs = append(validatedNs, nsMem)
+			continue
+		}
 		// Check if operator has target namespace admin permission
 		if r.checkNamespaceAdminAuth(nsMem) {
 			// Check if operator has permission to get namespace resource