We have installed Kube prometheus stack on our kubernetes cluster and I noticed that the clusterRole "kube-prometheus-stack-kube-state-metrics" has the resource "secrets" with verbs "list, watch".
As a central Kubernetes management team in an organization, we would like to give restricted access for Secrets, and just wanted to get an idea around what's the use-case which the operator is supporting.
Why does it need cluster wide access to secrets?
Kube-prometheus uses kube-state-metrics as part of the stack. By default, kube-state-metrics enable the secrets in the objects to be enabled by default during the default installation.
Check this