Concerned with how broad the cluster permissions for gitlab-runner-operator are

Hello

The gitlab-runner-operator.v... ClusterRole, granted to the operator's manager cluster wide (using ClusterRoleBinding), is very broad. Particularly concerned with Secrets:

  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch

This means the operator can read all Secrets in the cluster. Is that really necessary? If the gitlab-runner-operator or it's service account are compromised, an attacker could access everyone's Secrets. If the operator needs to manage Secrets, then perhaps write permission will suffice?

Saw this in v1.1.0 and v1.4.0.

Thanks

Marek