diff --git a/deploy/05_must-gather-admin.ClusterRole.yaml b/deploy/05_must-gather-admin.ClusterRole.yaml
index e85c23915..48e58d4f5 100644
--- a/deploy/05_must-gather-admin.ClusterRole.yaml
+++ b/deploy/05_must-gather-admin.ClusterRole.yaml
@@ -1,15 +1,483 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: must-gather-admin
+  name: must-gather-minimal
 rules:
-- apiGroups:
-  - '*'
+- apiGroups: [""]
   resources:
-  - '*'
+  - namespaces
+  - nodes
+  - nodes/log
+  - nodes/proxy # TODO(swghosh): check requirement
+  - pods
+  - pods/log
+  - services
+  - endpoints
+  - persistentvolumes
+  - persistentvolumeclaims
+  - configmaps
+  # - secrets # TODO(swghosh): check remediation, deliberately access removed
+  - events
+  - limitranges
+  - resourcequotas
+  - replicationcontrollers
+  - serviceaccounts
+  - projects
   verbs:
-  - '*'
+  - get
+  - list
+  - watch
+- apiGroups: [""]
+  resources:
+  - pods/exec
+  - pods/portforward # TODO(swghosh): check requirement
+  verbs:
+  - create
+- apiGroups: ["apps"]
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+  - list
+- apiGroups: ["apps"]
+  resources:
+  - daemonsets
+  verbs:
+  - create
+  - delete
+- apiGroups: ["apps.openshift.io"]
+  resources:
+  - deploymentconfigs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["apiextensions.k8s.io"]
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["apiregistration.k8s.io"]
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+- apiGroups: ["apiserver.openshift.io"]
+  resources:
+  - apirequestcounts
+  verbs:
+  - get
+  - list
+- apiGroups: ["aro.openshift.io"]
+  resources:
+  - clusters
+  verbs:
+  - get
+  - list
+- apiGroups: ["authorization.openshift.io"]
+  resources:
+  - roles
+  - rolebindings
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - get
+  - list
+- apiGroups: ["autoscaling"]
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - get
+  - list
+- apiGroups: ["batch"]
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+- apiGroups: ["build.openshift.io"]
+  resources:
+  - builds
+  - buildconfigs
+  verbs:
+  - get
+  - list
+- apiGroups: ["certificates.k8s.io"]
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+- apiGroups: ["cloud.network.openshift.io"]
+  resources:
+  - cloudprivateipconfigs
+  verbs:
+  - get
+  - list
+- apiGroups: ["cns.vmware.com"] # TODO(swghosh): check validity
+  resources:
+  - csinodetopologies
+  - cnsvspherevolumemigrations
+  - cnsvolumeoperationrequests
+  verbs:
+  - get
+  - list
+- apiGroups: ["config.openshift.io"]
+  resources:
+  - nodes
+  - operatorhubs
+  - images
+  - oauths
+  - dnses
+  - imagedigestmirrorsets
+  - proxies
+  - imagetagmirrorsets
+  - authentications
+  - schedulers
+  - consoles
+  - projects
+  - builds
+  - imagecontentpolicies
+  - clusterversions
+  - clusteroperators
+  - networks
+  - apiservers
+  - infrastructures
+  - ingresses
+  - featuregates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["controlplane.operator.openshift.io"]
+  resources:
+  - podnetworkconnectivitychecks
+  verbs:
+  - get
+  - list
+- apiGroups: ["coordination.k8s.io"]
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+- apiGroups: ["discovery.k8s.io"]
+  resources:
+  - endpointslices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["flowcontrol.apiserver.k8s.io"]
+  resources:
+  - prioritylevelconfigurations
+  - flowschemas
+  verbs:
+  - get
+  - list
+- apiGroups: ["frrk8s.metallb.io"]
+  resources:
+  - frrconfigurations
+  verbs:
+  - get
+  - list
+- apiGroups: ["gateway.networking.k8s.io"]
+  resources:
+  - gatewayclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["image.openshift.io"]
+  resources:
+  - images
+  - imagestreamtags
+  - imagestreams
+  verbs:
+  - get
+  - list
+- apiGroups: ["imageregistry.operator.openshift.io"]
+  resources:
+  - configs
+  - imagepruners
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["ingress.operator.openshift.io"]
+  resources:
+  - dnsrecords
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["ingressnodefirewall.openshift.io"]
+  resources:
+  - ingressnodefirewalls
+  verbs:
+  - get
+  - list
+- apiGroups: ["k8s.cni.cncf.io"]
+  resources:
+  - network-attachment-definitions
+  - multi-networkpolicies
+  verbs:
+  - get
+  - list
+- apiGroups: ["k8s.ovn.org"]
+  resources:
+  - egressqoses
+  - egressips
+  - adminnetworkpolicies
+  - baselineadminnetworkpolicies
+  - routeadvertisements
+  - egressfirewalls
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["machine.openshift.io"]
+  resources:
+  - controlplanemachinesets
+  - machinehealthchecks
+  - machines
+  - machinesets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["machineconfiguration.openshift.io"]
+  resources:
+  - containerruntimeconfigs
+  - machineconfigs
+  - machineconfigpools
+  - controllerconfigs
+  - kubeletconfigs
+  - machineosbuilds
+  - machineosconfigs
+  - machineconfignodes
+  - pinnedimagesets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["metallb.io"]
+  resources:
+  - bgppeers
+  - bfdprofiles
+  - bgpadvertisements
+  - ipaddresspools
+  - l2advertisements
+  - communities
+  - metallbs
+  verbs:
+  - get
+  - list
+- apiGroups: ["metrics.k8s.io"]
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["migration.k8s.io"]
+  resources:
+  - storageversionmigrations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["monitoring.coreos.com"]
+  resources:
+  - prometheuses
+  - alertmanagers
+  - servicemonitors
+  verbs:
+  - get
+  - list
+- apiGroups: ["network.openshift.io"]
+  resources:
+  - hostsubnets
+  - netnamespaces
+  - egressnetworkpolicies
+  verbs:
+  - get
+  - list
+- apiGroups: ["networking.k8s.io"]
+  resources:
+  - networkpolicies
+  verbs:
+  - get
+  - list
+- apiGroups: ["nmstate.io"]  # TODO(swghosh): check validity
+  resources:
+  - nmstates
+  - nodenetworkstates
+  - nodenetworkconfigurationenactments
+  - nodenetworkconfigurationpolicies
+  verbs:
+  - get
+  - list
+- apiGroups: ["node.k8s.io"]
+  resources:
+  - runtimeclasses
+  verbs:
+  - get
+  - list
+- apiGroups: ["oauth.openshift.io"]  # TODO(swghosh): check validity
+  resources:
+  - oauthclients
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["operator.openshift.io"]
+  resources:
+  - machineconfigurations
+  - authentications
+  - configs
+  - consoles
+  - dnses
+  - etcds
+  - kubeapiservers
+  - kubecontrollermanagers
+  - kubeschedulers
+  - kubestorageversionmigrators
+  - networks
+  - imagecontentsourcepolicies
+  - ingresscontrollers
+  - clustercsidrivers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["operators.coreos.com"]
+  resources:
+  - operatorconditions
+  - olmconfigs
+  - operators
+  - subscriptions
+  - clusterserviceversions
+  - catalogsources
+  - installplans
+  - operatorgroups
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["performance.openshift.io"]
+  resources:
+  - performanceprofiles
+  verbs:
+  - get
+  - list
+- apiGroups: ["policy"]
+  resources:
+  - poddisruptionbudgets
+  - podsecuritypolicies
+  verbs:
+  - get
+  - list
+- apiGroups: ["policy.networking.k8s.io"]
+  resources:
+  - adminnetworkpolicies
+  - baselineadminnetworkpolicies
+  verbs:
+  - get
+  - list
+- apiGroups: ["quota.openshift.io"]
+  resources:
+  - clusterresourcequotas
+  verbs:
+  - get
+  - list
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources:
+  - roles
+  - rolebindings
+  - clusterroles
+  - clusterrolebindings
+  verbs:
+  - get
+  - list
+- apiGroups: ["route.openshift.io"]
+  resources:
+  - routes
+  verbs:
+  - get
+  - list
+- apiGroups: ["security.openshift.io"]
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - get
+  - list
+- apiGroups: ["sriovnetwork.openshift.io"] # TODO(swghosh): check validity
+  resources:
+  - sriovnetworknodepolicies
+  - sriovnetworknodestates
+  - sriovnetworkpoolconfigs
+  - sriovnetworks
+  - sriovoperatorconfigs
+  - sriovibnetworks
+  verbs:
+  - get
+  - list
+- apiGroups: ["storage.k8s.io"]
+  resources:
+  - storageclasses
+  - volumeattachments
+  - csidrivers
+  - csinodes
+  - volumesnapshotclasses
+  - volumesnapshotcontents
+  - csistoragecapacities
+  verbs:
+  - get
+  - list
+- apiGroups: ["tuned.openshift.io"] # TODO(swghosh): check validity
+  resources:
+  - tuneds
+  verbs:
+  - get
+  - list
+- apiGroups: ["updateservice.operator.openshift.io"] # TODO(swghosh): check validity
+  resources:
+  - updateservices
+  verbs:
+  - get
+  - list
+- apiGroups: ["user.openshift.io"]
+  resources:
+  - users
+  - groups
+  verbs:
+  - get
+  - list
+- apiGroups: ["whereabouts.cni.cncf.io"]
+  resources:
+  - ippools
+  - overlappingrangeipreservations
+  verbs:
+  - get
+  - list
 - nonResourceURLs:
-  - '*'
+  - "/debug/api_priority_and_fairness/*"
+  - "/metrics"
   verbs:
-  - '*'
+  - get
diff --git a/deploy/06_must-gather-admin.ClusterRoleBinding.yaml b/deploy/06_must-gather-admin.ClusterRoleBinding.yaml
index 929a1aa24..8a914c974 100644
--- a/deploy/06_must-gather-admin.ClusterRoleBinding.yaml
+++ b/deploy/06_must-gather-admin.ClusterRoleBinding.yaml
@@ -4,7 +4,7 @@ metadata:
   name: must-gather-admin
 roleRef:
   kind: ClusterRole
-  name: must-gather-admin
+  name: must-gather-minimal
   apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: ServiceAccount
diff --git a/examples/other_resources/05_must-gather-admin.ClusterRole.yaml b/examples/other_resources/05_must-gather-admin.ClusterRole.yaml
new file mode 120000
index 000000000..97dba7974
--- /dev/null
+++ b/examples/other_resources/05_must-gather-admin.ClusterRole.yaml
@@ -0,0 +1 @@
+deploy/05_must-gather-admin.ClusterRole.yaml
\ No newline at end of file
diff --git a/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml b/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml
deleted file mode 100644
index 929a1aa24..000000000
--- a/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: must-gather-admin
-roleRef:
-  kind: ClusterRole
-  name: must-gather-admin
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-- kind: ServiceAccount
-  name: must-gather-admin
-  namespace: must-gather-operator
diff --git a/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml b/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml
new file mode 120000
index 000000000..ba9dd4330
--- /dev/null
+++ b/examples/other_resources/06_must-gather-admin.ClusterRoleBinding.yaml
@@ -0,0 +1 @@
+deploy/06_must-gather-admin.ClusterRoleBinding.yaml
\ No newline at end of file