Hardening cluster role RBAC to service account

[segaldor]

What would you like to be added:
I would like external-dns-management to support namespaced roles to service account instead of cluster role permissions.

As part of the bootstrap process, this service account tries to access secrets on cluster scope.
In addition is it possible to remove "update" permission (https://github.com/gardener/external-dns-management/blob/master/charts/external-dns-management/templates/clusterrole.yaml) before implementing feature.

I would have added few more words on how would we wish things would have been, such as: we should grant permissions according to configuration (because times we'll want to grant permissions in cluster scope and times only according to ns)

Why is this needed:
Security issues - This cluster role grants permissions to access sensitive resources (controller gets permissions to secrets in cluster scope)

[MartinWeindel]

Currently it is not possible to remove the cluster role permissions, as the external-dns-management is designed to work on all namespaces (also ones created dynamically). Therefore it uses cluster-wide watches. Update permissions for secrets, services, and ingresses are needed to set finalizers for various purposes.

It would be needed to implement some command line option to change to the watches to a given set of namespaces. Feel free to contribute such a change.