Drone needs a lot of permissions on kubernetes

So I’ve been getting this error:
test: services is forbidden: User "system:serviceaccount:drone:default" cannot create services in the namespace "4b9u83gve8xztgrvzlx8dqi9qf35it7u"

Because the drone user didn’t have enough permissions to create services - due to them being on namespaces with random names - so I needed to give more permissions to the drone user and as a result I’m feeling a bit queasy having a service that has an outward facing URL (the webook) with so much permissions on my kubernetes.

Would it make sense to include an option to drone to only use predefined namespaces - e.g. a limited number of them (which would coincidentally also limit the number of concurrent pipelines) with predefined names so that I could only give drone permissions to those namespaces?

Drone is pluggable so it is certainly possible to implement your own scheduler. My primary goal is to provide a single, canonical Kubernetes implementation that others can customize and build on top of. I have no plans to change the current implementation, but would encourage community plugins, and will do what I can to ensure such plugins can be easily implemented.