Potential vulnerable RBAC rules in keda-operator Clusterrolebinding

[IsuruBoyagane15]

Hi,
I have been using KEDA for a while and hope to use it in our production cluster.
I came across these RBAC permission rules which are not very clear to me. It would be great if someone can explain the purpose and the usage of these rules.

Keda-operator clusterRole have the following rule.

- apiGroups:
  - ""
  resources:
  - external
  - pods
  - secrets
  - services
  verbs:
  - get
  - list
  - watch

• "keda-operator" and "keda-operator-metrics-apiserver" deployments which have this role, can get, list, watch all the cluster-wide secrets. How can this permission be used in the "keda-operator" and "keda-operator-metrics-apiserver"? Isn't this a possibility to compromise all the secretes in the cluster?

• Is external a specific resources type? What is the usage of external resource in this context?

Also, "keda-operator" and "keda-operator-metrics-apiserver" are given the role system:auth-delegator using keda-operator-system-auth-delegator ClusterRoleBinding. What would be the usage of keda-operator and keda-operator-metrics-apiserver to have system: level ClusterRole?

It would be great if someone can explain these with reasons.
Thanks is advance.

[joebowbeer]

Related: #4730

[joebowbeer]

Answered?

https://keda.sh/docs/2.15/operate/cluster/#restrict-secret-access