chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Operator ClusterRole rule removals

• nodes list/watch - not needed; only nodes/proxy get is required for cluster domain detection
• pods create/delete/get/list/patch/update/watch - operator does not manage Pod resources directly (it manages DaemonSets)
• secrets create/delete/get/list/patch/update/watch - operator does not manage Secret resources
• endpoints create/delete/get/list/patch/update/watch - operator does not manage Endpoints resources
• configmaps/services update - not needed; the operator uses Server-Side Apply (create + patch), not update
• serviceaccounts update/watch - not needed; SSA and orphan cleanup do not require update or watch
• rolebindings update/watch - not needed; same reason as serviceaccounts
• daemonsets update - not needed; same reason (SSA, not update)
• jobs create/get/list/patch/update/watch - operator does not manage Job resources
• customresourcedefinitions get (outside maintenance guard) - not needed as a standalone verb; list and watch (now always present) are sufficient for the startup condition
• opaclusters patch - not needed; the operator only patches the status subresource, not the resource itself

Product ClusterRole rule removals

• configmaps get - the workload pods access ConfigMaps via volume mounts (handled by the kubelet), not via the Kubernetes API. list/watch retained because the bundle-builder sidecar needs them (see TODO in clusterrole-product.yaml).
• secrets/serviceaccounts get/list/watch - the workload pods access these via volume mounts (handled by the kubelet), not via the Kubernetes API
• events.k8s.io events create/patch - neither OPA nor the user-info-fetcher sidecar emit Kubernetes events

OPA bundle builder ClusterRole rule removals

• No rules were removed.

[NickLarsenNZ]

The one failure is expected, since the local nix builds (for make run-dev) don't include CA certs.

I have noted it down to be fixed separately.

--- FAIL: kuttl/harness/aas-user-info_opa-latest-1.12.3_openshift-false (436.95s)
--- PASS: kuttl/harness/cluster-operation_opa-latest-1.12.3_openshift-false (40.14s)
--- PASS: kuttl/harness/keycloak-user-info_opa-latest-1.12.3_keycloak-23.0.1_openshift-false (248.53s)
--- PASS: kuttl/harness/logging_opa-1.12.3_openshift-false (74.50s)
--- PASS: kuttl/harness/logging_opa-1.8.0_openshift-false (84.43s)
--- PASS: kuttl/harness/openldap-user-info_opa-latest-1.12.3_openshift-false (103.40s)
--- PASS: kuttl/harness/resources_opa-latest-1.12.3_openshift-false (22.63s)
--- PASS: kuttl/harness/smoke_opa-1.12.3_openshift-false_use-tls-false (63.01s)
--- PASS: kuttl/harness/smoke_opa-1.12.3_openshift-false_use-tls-true (64.99s)
--- PASS: kuttl/harness/smoke_opa-1.8.0_openshift-false_use-tls-false (57.05s)
--- PASS: kuttl/harness/smoke_opa-1.8.0_openshift-false_use-tls-true (65.21s)

[NickLarsenNZ]

I'll fix this in a follow up PR