chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Operator ClusterRole rule removals

• nodes list/watch - not needed; only nodes/proxy get is required for cluster domain detection
• pods create/delete/get/list/patch/update/watch - operator does not manage Pod resources directly (it manages DaemonSets)
• secrets create/delete/get/list/patch/update/watch - operator does not manage Secret resources
• endpoints create/delete/get/list/patch/update/watch - operator does not manage Endpoints resources
• configmaps/services update - not needed; the operator uses Server-Side Apply (create + patch), not update
• serviceaccounts update/watch - not needed; SSA and orphan cleanup do not require update or watch
• rolebindings update/watch - not needed; same reason as serviceaccounts
• daemonsets update - not needed; same reason (SSA, not update)
• jobs create/get/list/patch/update/watch - operator does not manage Job resources
• customresourcedefinitions get (outside maintenance guard) - not needed as a standalone verb; list and watch (now always present) are sufficient for the startup condition
• opaclusters patch - not needed; the operator only patches the status subresource, not the resource itself

Product ClusterRole rule removals

• configmaps get - the workload pods access ConfigMaps via volume mounts (handled by the kubelet), not via the Kubernetes API. list/watch retained because the bundle-builder sidecar needs them (see TODO in clusterrole-product.yaml).
• secrets/serviceaccounts get/list/watch - the workload pods access these via volume mounts (handled by the kubelet), not via the Kubernetes API
• events.k8s.io events create/patch - neither OPA nor the user-info-fetcher sidecar emit Kubernetes events

OPA bundle builder ClusterRole rule removals

• No rules were removed.

[NickLarsenNZ]

Needs a changelog

[NickLarsenNZ]

Suggested change

	{{- if .Values.maintenance.customResourceDefinitions.maintain }}
	# Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
	# generated certificate in the conversion webhook.
	{{- if .Values.maintenance.customResourceDefinitions.maintain }}