fix: use namespace-scoped watching to avoid cluster-wide LIST permissions

mohsenmottaghi · scottrigby · commit 66cab24bb95f · 2026-01-14T17:42:11.000-05:00
Signed-off-by: Mohsen Mottaghi <mohsenmottaghi@outlook.com> (cherry picked from commit 3dd54ed)
diff --git a/pkg/kube/statuswait.go b/pkg/kube/statuswait.go
@@ -113,7 +113,9 @@ func (w *statusWaiter) waitForDelete(ctx context.Context, resourceList ResourceL
 		}
 		resources = append(resources, obj)
 	}
-	eventCh := sw.Watch(cancelCtx, resources, watcher.Options{})
+	eventCh := sw.Watch(cancelCtx, resources, watcher.Options{
+		RESTScopeStrategy: watcher.RESTScopeNamespace,
+	})
 	statusCollector := collector.NewResourceStatusCollector(resources)
 	done := statusCollector.ListenWithObserver(eventCh, statusObserver(cancel, status.NotFoundStatus))
 	<-done
@@ -156,7 +158,9 @@ func (w *statusWaiter) wait(ctx context.Context, resourceList ResourceList, sw w
 		resources = append(resources, obj)
 	}
 
-	eventCh := sw.Watch(cancelCtx, resources, watcher.Options{})
+	eventCh := sw.Watch(cancelCtx, resources, watcher.Options{
+		RESTScopeStrategy: watcher.RESTScopeNamespace,
+	})
 	statusCollector := collector.NewResourceStatusCollector(resources)
 	done := statusCollector.ListenWithObserver(eventCh, statusObserver(cancel, status.CurrentStatus))
 	<-done
