RBAC permissions required by KOTS in an existing cluster?

I understand that KOTS can run in two modes – full-admin where the kotsadm service account has fairly broad access to the cluster, or I can set the requireMinimalRBAC flag in the kots.io/v1beta Application YAML. What sets of RBAC permissions are provisioned by the KOTS CLI in each case? (I’m not concerned about kURL embedded clusters here)