The steps to install CA APM's Openshift monitor are documented here: https://docops.ca.com/ca-apm/10-7/en/implementing-agents/infrastructure-agent/openshift-monitoring/install-and-configure-openshift-monitoring.
Why is cluster-reader role required for the caapm user and privileged access required for the default namespace?
To obtain these metrics Openshift monitor uses various Openshift APIs which can be executed remotely to query state of various Kubernetes and Docker objects in the environment. The cluster-reader role is needed for the caapm service account to obtain metrics. Privileged access is needed since the monitor runs on top of a pod/container and is needed in order to get suitable access on the filesystem and docker.sock file from the host the environment runs on.