diff --git a/.github/workflows/continuous-delivery.yml b/.github/workflows/continuous-delivery.yml
index 4a4a022..8b205c5 100644
--- a/.github/workflows/continuous-delivery.yml
+++ b/.github/workflows/continuous-delivery.yml
@@ -102,3 +102,42 @@ jobs:
           kubectl wait --timeout=5m --for=jsonpath='{.status.phase}'="$PHASE" pgdgroups/region-a
           kubectl wait --timeout=5m --for=jsonpath='{.status.phase}'="$PHASE" pgdgroups/region-b
           kubectl wait --timeout=5m --for=jsonpath='{.status.phase}'="$PHASE" pgdgroups/region-c
+
+  deploy-ep4k-single-namespace:
+    runs-on: ubuntu-22.04
+    needs:
+      - change-triage
+    if: needs.change-triage.outputs.ep4k-changed == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v3.5
+        with:
+          version: v3.11.3
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.8.0
+
+      - name: Deploy in single-namespace mode using helm chart
+        run: |
+          helm upgrade --install edb-pg4k --namespace single-install \
+          --set config.clusterWide=false \
+          --create-namespace charts/edb-postgres-for-kubernetes --wait
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v3.2
+
+      - name: Deploy a cluster in the watched namespace
+        run: |
+          kubectl -n single-install apply -f hack/samples/ep4k-cluster.yaml
+          PHASE="Cluster in healthy state"
+          kubectl -n single-install wait --timeout=5m --for=jsonpath='{.status.phase}'="$PHASE" clusters/cluster-example
+
+      - name: Ignore deploying a cluster in another namespace
+        run: |
+          kubectl create ns test-ignore
+          kubectl -n test-ignore apply -f hack/samples/ep4k-cluster.yaml
+          kubectl -n test-ignore get pods 2>&1 >/dev/null | grep 'No resources found'
diff --git a/README.md b/README.md
index a2c15b7..beff161 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,30 @@ edb-pg4k-edb-postgres-for-kubernetes   1/1     1            1           11s
 Once it is ready, you can verify that you can deploy the sample cluster
 suggested by the helm chart.
 
+### Single namespace installation
+
+It is possible to limit the operator's capabilities to solely the namespace in
+which it has been installed. With this restriction, the cluster-level
+permissions required by the operator will be substantially reduced, and
+the security profile of the installation will be enhanced.
+
+You can install the operator in single-namespace mode by setting the
+`config.clusterWide` flag to false, as in the following example:
+
+```console
+helm upgrade --install edb-pg4k \
+  --namespace postgresql-operator-system \
+  --create-namespace \
+  --set config.clusterWide=false \
+  edb/edb-postgres-for-kubernetes
+```
+
+**IMPORTANT**: the single-namespace installation mode can't coexist
+with the cluster-wide operator. Otherwise there would be collisions when
+managing the resources in the namespace watched by the single-namespace
+operator.
+It is up to the user to ensure there is no collision between operators.
+
 ### Deploying EDB Postgres for Kubernetes (PG4K) operator from EDB's private registry
 
 By default, PG4K will be deployed using [images publicly hosted on Quay.io](https://quay.io/repository/enterprisedb/cloud-native-postgresql),
diff --git a/charts/edb-postgres-for-kubernetes/templates/NOTES.txt b/charts/edb-postgres-for-kubernetes/templates/NOTES.txt
index 8c7e7f1..59e542b 100644
--- a/charts/edb-postgres-for-kubernetes/templates/NOTES.txt
+++ b/charts/edb-postgres-for-kubernetes/templates/NOTES.txt
@@ -1,6 +1,6 @@
 
 EDB Postgres for Kubernetes Operator should be installed in namespace "{{ .Release.Namespace }}".
-You can now create a PostgreSQL cluster with 3 nodes in the current namespace as follows:
+You can now create a PostgreSQL cluster with 3 nodes as follows:
 
 cat <<EOF | kubectl apply -f -
 # Example of PostgreSQL cluster
@@ -8,11 +8,14 @@ apiVersion: postgresql.k8s.enterprisedb.io/v1
 kind: Cluster
 metadata:
   name: cluster-example
+  {{if not .Values.config.clusterWide  -}}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
 spec:
   instances: 3
   storage:
     size: 1Gi
 EOF
 
-kubectl get cluster
+kubectl get -A cluster
 
diff --git a/charts/edb-postgres-for-kubernetes/templates/_helpers.tpl b/charts/edb-postgres-for-kubernetes/templates/_helpers.tpl
index dab0824..11ab523 100644
--- a/charts/edb-postgres-for-kubernetes/templates/_helpers.tpl
+++ b/charts/edb-postgres-for-kubernetes/templates/_helpers.tpl
@@ -71,3 +71,347 @@ Create the imagePullSecret
 {{- end }}
 {{- end }}
 {{- end }}
+
+{{/*
+Define the common set of rules that can be applied either with
+namespace scope or clusterwide
+*/}}
+{{- define "edb-postgres-for-kubernetes.commonRules" }}
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/status
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - podmonitors
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - backups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - backups/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - clusters
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - clusters/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - clusters/status
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - poolers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - poolers/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - poolers/status
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - scheduledbackups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.k8s.enterprisedb.io
+  resources:
+  - scheduledbackups/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+{{- end }}
+
+{{/*
+Define the set of rules that must be applied clusterwide
+*/}}
+{{- define "edb-postgres-for-kubernetes.clusterwideRules" }}
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - update
+{{- end }}
diff --git a/charts/edb-postgres-for-kubernetes/templates/config.yaml b/charts/edb-postgres-for-kubernetes/templates/config.yaml
index 57ed46f..fffae1c 100644
--- a/charts/edb-postgres-for-kubernetes/templates/config.yaml
+++ b/charts/edb-postgres-for-kubernetes/templates/config.yaml
@@ -25,7 +25,13 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 data:
+  {{- if .Values.config.clusterWide  -}}
   {{- toYaml .Values.config.data | nindent 2 }}
+  {{- else -}}
+  {{- $watchNamespaceMap := dict "WATCH_NAMESPACE" .Release.Namespace -}}
+  {{- $fullConfiguration := merge .Values.config.data $watchNamespaceMap -}}
+  {{- toYaml $fullConfiguration | nindent 2 }}
+  {{- end -}}
 {{- end }}
 {{- else -}}
 apiVersion: v1
diff --git a/charts/edb-postgres-for-kubernetes/templates/deployment.yaml b/charts/edb-postgres-for-kubernetes/templates/deployment.yaml
index c546680..533f770 100644
--- a/charts/edb-postgres-for-kubernetes/templates/deployment.yaml
+++ b/charts/edb-postgres-for-kubernetes/templates/deployment.yaml
@@ -64,6 +64,10 @@ spec:
               fieldPath: metadata.namespace
         - name: MONITORING_QUERIES_CONFIGMAP
           value: "{{ .Values.monitoringQueriesConfigMap.name }}"
+        {{ if not .Values.config.clusterWide -}}
+        - name: WATCH_NAMESPACE
+          value: "{{ .Release.Namespace }}"
+        {{- end }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         livenessProbe:
diff --git a/charts/edb-postgres-for-kubernetes/templates/rbac.yaml b/charts/edb-postgres-for-kubernetes/templates/rbac.yaml
index bebcddb..904ce7e 100644
--- a/charts/edb-postgres-for-kubernetes/templates/rbac.yaml
+++ b/charts/edb-postgres-for-kubernetes/templates/rbac.yaml
@@ -39,337 +39,14 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - configmaps/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - persistentvolumeclaims
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods/exec
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods/status
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-  - list
-  - update
-- apiGroups:
-  - apps
-  resources:
-  - deployments
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - get
-  - update
-- apiGroups:
-  - monitoring.coreos.com
-  resources:
-  - podmonitors
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - backups
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - backups/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - clusters
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - clusters/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - clusters/status
-  verbs:
-  - get
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - poolers
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - poolers/finalizers
-  verbs:
-  - update
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - poolers/status
-  verbs:
-  - get
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - scheduledbackups
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - postgresql.k8s.enterprisedb.io
-  resources:
-  - scheduledbackups/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - rolebindings
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - roles
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - snapshot.storage.k8s.io
-  resources:
-  - volumesnapshots
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
+{{- include "edb-postgres-for-kubernetes.clusterwideRules" . }}
+{{/*
+If we're doing a clusterWide installation (default)
+we add ALL the necessary rules for the operator to the ClusterRole
+*/}}
+{{- if .Values.config.clusterWide }}
+{{- include "edb-postgres-for-kubernetes.commonRules" . }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -377,7 +54,7 @@ metadata:
   name: {{ include "edb-postgres-for-kubernetes.fullname" . }}
   labels:
     {{- include "edb-postgres-for-kubernetes.labels" . | nindent 4 }}
-  {{- with .Values.commonAnnotations.annotations }}
+  {{- with .Values.commonAnnotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
@@ -389,4 +66,44 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "edb-postgres-for-kubernetes.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+{{/*
+If we're doing a single-namespace installation
+we create a Role with the common rules for the operator,
+and a RoleBinding. We already created the ClusterRole above with the
+required cluster-wide rules
+*/}}
+{{- if eq .Values.config.clusterWide false }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "edb-postgres-for-kubernetes.fullname" . }}
+  labels:
+    {{- include "edb-postgres-for-kubernetes.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+{{- include "edb-postgres-for-kubernetes.commonRules" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "edb-postgres-for-kubernetes.fullname" . }}
+  labels:
+    {{- include "edb-postgres-for-kubernetes.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "edb-postgres-for-kubernetes.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "edb-postgres-for-kubernetes.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
 {{- end }}
diff --git a/charts/edb-postgres-for-kubernetes/values.yaml b/charts/edb-postgres-for-kubernetes/values.yaml
index 9aedbc3..da1600a 100644
--- a/charts/edb-postgres-for-kubernetes/values.yaml
+++ b/charts/edb-postgres-for-kubernetes/values.yaml
@@ -58,6 +58,10 @@ config:
   create: true
   # -- Specifies whether it should be stored in a secret, instead of a configmap
   secret: false
+  # -- This option determines if the operator is responsible for observing
+  # events across the entire Kubernetes cluster or if its focus should be
+  # narrowed down to the specific namespace within which it has been deployed.
+  clusterWide: true
   # Examples:
   # INHERITED_ANNOTATIONS: categories
   # INHERITED_LABELS: environment, workload, app