Run elastic-operator with fewer permissions? Disable webhook?

The elastic-operator ClusterRole, which is deployed and granted when installing with the "all-in-one.yaml" method gives a lot of permissions on the cluster. So much even, you may as well be running the operator as cluster-admin.

Is there a supported deployment method which allows the operator to run so that it can only watch / manage objects in specific namespaces?

Can we also go without permissions to manage admission configurations? (ie: disable the webhook?) I do not feel comfortable sending all my secrets to the operator for inspection, and it makes the uninstalls more complex...

Is there a supported deployment method which allows the operator to run so that it can only watch / manage objects in specific namespaces?

Yes, you can configure the operator to only manage objects in a single namespace or a set of namespaces. Have a look at the --namespaces argument in https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-operator-config.html

Can we also go without permissions to manage admission configurations? (ie: disable the webhook?)

Yes that is also possible, you will have to to change the --roles argument of the operator from all to global,namespace. You can then reduce the RBAC permissions you give to the elastic-operator service account.