chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Removed permissions

Resource	API Group	Verb(s) removed	Reason
endpoints	""	create, delete, get, list, patch, update, watch	Never managed by the operator. Kubernetes auto-creates Endpoints for Services; the operator never creates Endpoints objects directly.
pods	""	create, delete, get, list, patch, update, watch	Never managed directly. StatefulSets implicitly create pods — the operator only creates the StatefulSet.
configmaps	""	update	client.update() (HTTP PUT) is never called. All writes use client.apply_patch() (SSA = HTTP PATCH).
serviceaccounts	""	update	Same reason as above.
services	""	update	Same reason as above.
rolebindings	rbac.authorization.k8s.io	update	Same reason as above.
statefulsets	apps	update	Same reason as above.
poddisruptionbudgets	policy	update	Same reason as above.
opensearchclusters	opensearch.stackable.tech	patch	The operator never SSA-patches the primary CRD object. The spec is user-owned; only the status subresource is written (covered by the separate opensearchclusters/status rule).

Retained permissions (with justification)

Operator ClusterRole

Resource	API Group	Verbs	Justification
nodes	""	list, watch	Cluster domain auto-detection: find a node to proxy through.
nodes/proxy	""	get	Cluster domain auto-detection: read kubelet info containing the cluster domain.
configmaps, serviceaccounts, services	""	create, delete, get, list, patch, watch	SSA apply (create+patch), orphan cleanup (list+delete), .owns() watch (watch), ReconciliationPaused strategy (get).
rolebindings	rbac.authorization.k8s.io	create, delete, get, list, patch, watch	Same pattern as above. Bind product ClusterRole to per-rolegroup ServiceAccounts.
statefulsets	apps	create, delete, get, list, patch, watch	Same pattern as above. Drive OpenSearch node pods.
poddisruptionbudgets	policy	create, delete, get, list, patch, watch	Same pattern as above. Limit voluntary disruptions.
customresourcedefinitions	apiextensions.k8s.io	get (+ create, patch, list, watch if maintenance enabled)	CRD maintenance and conversion webhook certificate injection.
listeners	listeners.stackable.tech	create, delete, get, list, patch, watch	SSA apply, orphan cleanup, .owns() watch, plus direct get_opt in dereference.rs to fetch the discovery service Listener.
events	events.k8s.io	create, patch	Emit reconciliation result events via report_controller_reconciled().
opensearchclusters	opensearch.stackable.tech	get, list, watch	Primary CRD: controller watches for reconcile triggers and reads the object during reconciliation.
opensearchclusters/status	opensearch.stackable.tech	patch	apply_patch_status() updates conditions after each reconcile.
clusterroles (bind, opensearch-clusterrole)	rbac.authorization.k8s.io	bind	Required to create RoleBindings that reference the product ClusterRole.

Product ClusterRole

Resource	API Group	Verbs	Justification
configmaps, secrets, serviceaccounts	""	get	Pods read their own configuration (configmaps), TLS certificates (secrets), and ServiceAccount metadata at runtime.
events	events.k8s.io	create, patch	Pods emit Kubernetes Events via the Stackable logging framework.
securitycontextconstraints (nonroot-v2)	security.openshift.io	use	OpenShift only: allows pods to run as non-root without a specific seccomp profile.