refactor the minimal RBAC requirements description again

Author: laverya

docs/vendor/replicated-sdk-customizing.md

@@ -264,29 +264,29 @@ rules:
 
 ### Install the SDK with Custom RBAC
 
-#### Custom RBAC Requirements
-
-The SDK requires the following minimum RBAC permissions:
+The SDK requires the following minimum RBAC permissions to start:
 * Create Secrets.
 * Get and update Secrets named `replicated`, `replicated-instance-report`, `replicated-meta-data`, and `replicated-custom-app-metrics-report`.
 * Get the `replicated` deployment.
 * Get the `replicaset` and `pods` corresponding to the `replicated` deployment.
-* The SDK requires the following minimum RBAC permissions for status informers:
-  * If you defined custom status informers, then the SDK must have permissions to `list` and `watch` all the types of resources listed in the `replicated.statusInformers` array in your Helm chart `values.yaml` file, as well as the ability to `get` the named resource.
-    
-    For instance, if you have a single status informer `deployment/myapp`, then the SDK requires permissions to `list` and `watch` all deployments as well as `get` the `myapp` deployment.
-  * If you did _not_ define custom status informers, then the SDK must have permissions to `get`, `list`, and `watch` the following resources:
-    * Deployments
-    * Daemonsets
-    * Ingresses
-    * PersistentVolumeClaims
-    * Statefulsets
-    * Services   
-  * For any Ingress resources used as status informers, the SDK requires `get` permissions for the Service resources listed in the `backend.Service.Name` field of the Ingress resource.
-  * For any Daemonset and Statefulset resources used as status informers, the SDK requires `list` permissions for pods in the namespace.
-  * For any Service resources used as status informers, the SDK requires `get` permissions for Endpoint resources with the same name as the service.  
-
-  The Replicated Vendor Portal uses status informers to provide application status data. For more information, see [Helm Installations](/vendor/insights-app-status#helm-installations) in _Enabling and Understanding Application Status_.
+
+The SDK requires the following minimum RBAC permissions for status informers:
+* If you defined custom status informers, then the SDK must have permissions to `list` and `watch` all the types of resources listed in the `replicated.statusInformers` array in your Helm chart `values.yaml` file, as well as the ability to `get` the named resource.
+
+  For instance, if you have a single status informer `deployment/myapp`, then the SDK requires permissions to `list` and `watch` all deployments as well as `get` the `myapp` deployment.
+* If you did _not_ define custom status informers, then the SDK must have permissions to `get`, `list`, and `watch` the following resources:
+  * Deployments
+  * Daemonsets
+  * Ingresses
+  * PersistentVolumeClaims
+  * Statefulsets
+  * Services
+* If you did _not_ define custom status informers, then the SDK must have permissions to `get`, and `list` all secrets within the namespace in order to discover the Helm Chart secret for your app and determine what resources to monitor.
+* For any Ingress resources used as status informers, the SDK requires `get` permissions for the Service resources listed in the `backend.Service.Name` field of the Ingress resource.
+* For any Daemonset and Statefulset resources used as status informers, the SDK requires `list` permissions for pods in the namespace.
+* For any Service resources used as status informers, the SDK requires `get` permissions for Endpoint resources with the same name as the service.
+
+The Replicated Vendor Portal uses status informers to provide application status data. For more information, see [Helm Installations](/vendor/insights-app-status#helm-installations) in _Enabling and Understanding Application Status_.
 
 #### Custom ServiceAccount