I'm using kubecfg update foo.jsonnet --gc-tag=bar in a cluster with RBAC enabled and with an account that can create and list (almost) all objects in a few namespaces, but it cannot list many resource types in most of the other namespaces (e.g. secrets).

In this scenario the kubecfg GC feature cannot be used at all because it fails hard when it tries to list all resources in all namespaces (by using metav1.NamespaceAll)

apiservices.apiregistration.k8s.io is forbidden: User "system:serviceaccount:toolchain-web:toolchain-web-svcaccount" cannot list apiservices.apiregistration.k8s.io at the cluster scope

(The same kind of error happens when using e.g. kubectl get secret --all-namespaces)

My deployment spans a handful of namespaces; the jsonnet resource specify in which namespaces each object goes.

I'd like to be able to use the GC in this scenario.