Playing around with OpenShift roles, I found the agent doesn't need the vast majority of permissions the cluster-reader role provides. So, rather than assign the agent to the cluster-reader role, I instead create a single role for the agent to be given where that role provides only the permissions the agent actually needs to do its job and no others: https://github.com/hawkular/hawkular-openshift-agent/pull/87/files#diff-e... So far, this looks to be working. Heiko, feel free to try this out. Its part of that use-secrets PR/branch.