What kind of permissions are needed for get, watch, and list operations with Flux and K8s resources

[imacq]

We need to identify the minimal RBAC permissions required for read-only (get, watch, list) operations on Flux resources in our Kubernetes cluster for use with the Headlamp Flux plugin.

Current behavior

Currently receiving 403 Forbidden errors when attempting to access Flux resources through the Headlamp UI:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:anonymous\" cannot list resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "group": "apiextensions.k8s.io",
    "kind": "customresourcedefinitions"
  },
  "code": 403
}

also seeing:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "serviceaccounts \"sa-support-headlamp\" is forbidden: User \"system:anonymous\" cannot get resource \"serviceaccounts/token\" in API group \"\" in the namespace \"cluster-mgmt\"",
  "reason": "Forbidden",
  "details": {
    "name": "sa-support-headlamp",
    "kind": "serviceaccounts"
  },
  "code": 403
}

Questions

1. What are the minimal RBAC permissions needed for read-only access to Flux resources?
2. Why are the requests being processed as "system" instead of using our ServiceAccount?
3. Is there a specific ClusterRole configuration recommended for the Headlamp Flux plugin?
4. Are there additional permissions needed for ServiceAccount token operations?

Expected outcome

A minimal ClusterRole configuration that allows read-only access to Flux resources for the Headlamp plugin without granting unnecessary permissions.