From 3dd54ed0b693e5e5805cceb535ed5167fa5ada25 Mon Sep 17 00:00:00 2001
From: Mohsen Mottaghi <mohsenmottaghi@outlook.com>
Date: Fri, 5 Dec 2025 17:14:07 +0330
Subject: [PATCH] fix: use namespace-scoped watching to avoid cluster-wide LIST
 permissions

Signed-off-by: Mohsen Mottaghi <mohsenmottaghi@outlook.com>
---
 pkg/kube/statuswait.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/kube/statuswait.go b/pkg/kube/statuswait.go
index 6077af165..a518f0c04 100644
--- a/pkg/kube/statuswait.go
+++ b/pkg/kube/statuswait.go
@@ -132,7 +132,9 @@ func (w *statusWaiter) waitForDelete(ctx context.Context, resourceList ResourceL
 		}
 		resources = append(resources, obj)
 	}
-	eventCh := sw.Watch(cancelCtx, resources, watcher.Options{})
+	eventCh := sw.Watch(cancelCtx, resources, watcher.Options{
+		RESTScopeStrategy: watcher.RESTScopeNamespace,
+	})
 	statusCollector := collector.NewResourceStatusCollector(resources)
 	done := statusCollector.ListenWithObserver(eventCh, statusObserver(cancel, status.NotFoundStatus))
 	<-done
@@ -175,7 +177,9 @@ func (w *statusWaiter) wait(ctx context.Context, resourceList ResourceList, sw w
 		resources = append(resources, obj)
 	}
 
-	eventCh := sw.Watch(cancelCtx, resources, watcher.Options{})
+	eventCh := sw.Watch(cancelCtx, resources, watcher.Options{
+		RESTScopeStrategy: watcher.RESTScopeNamespace,
+	})
 	statusCollector := collector.NewResourceStatusCollector(resources)
 	done := statusCollector.ListenWithObserver(eventCh, statusObserver(cancel, status.CurrentStatus))
 	<-done