operator-framework · metacosm · Oct 24, 2022 · Oct 21, 2022 · Oct 21, 2022
diff --git a/docs/documentation/faq.md b/docs/documentation/faq.md
@@ -43,4 +43,32 @@ without an update:
 ```
 
 Although you might consider using `EventSources`, to handle reconciliation triggering in a smarter
-way. 
+way. 
+
+### Q: How can I run an operator without cluster scope rights?
+
+By default, JOSDK requires access to CRs at cluster scope. You may not be granted such
+rights and you will see some error at startup that looks like:
+
+```plain
+io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://kubernetes.local.svc/apis/mygroup/v1alpha1/mycr. Message: Forbidden! Configured service account doesn't have access. Service account may have been revoked. mycrs.mygroup is forbidden: User "system:serviceaccount:ns:sa" cannot list resource "mycrs" in API group "mygroup" at the cluster scope.
+```
+
+To restrict the operator to a set of namespaces, you may override which namespaces are watched by a reconciler
+at [Reconciler-level configuration](./configuration.md#reconciler-level-configuration):
+
+```java
+Operator operator;
+Reconciler reconciler;
+...
+operator.register(reconciler, configOverrider ->
+        configOverrider.settingNamespace("mynamespace"));
+```
+Note that configuring the watched namespaces can also be done using the `@ControllerConfiguration` annotation.
+
+Furthermore, you may not be able to list CRDs at startup which is required when `checkingCRDAndValidateLocalModel`
+is `true` (`false` by default). To disable, set it to `false` at [Operator-level configuration](./configuration.md#operator-level-configuration):
+
+```java
+ConfigurationServiceProvider.overrideCurrent(o -> o.checkingCRDAndValidateLocalModel(false));
+```