My install comes off the Helm chart you guys provide, which sets --namespace when namespaced: true.

The Chart then creates a RoleBinding instead of a ClusterRoleBinding. Which makes sense.

However the service itself:

Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User \"system:serviceaccount:demoapp:demoapp-7xhgd-external-dns-private\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope: Azure does not have opinion for this user." logger="UnhandledError"

Failed to watch *v1beta1.Gateway: failed to list *v1beta1.Gateway: gateways.gateway.networking.k8s.io is forbidden: User \"system:serviceaccount:demoapp:demoapp-7xhgd-external-dns-private\" cannot list resource \"gat ││ eways\" in API group \"gateway.networking.k8s.io\" at the cluster scope: Azure does not have opinion for this user." logger="UnhandledError"

Seems it is trying to watch resources at the cluster scope which it would not have accecss to.