chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Operator ClusterRole rule removals

• pods rule (all verbs) - operator never manages pods directly; StatefulSets create them
• secrets rule (all verbs) - operator only references secret names in Pod specs; never reads or manages them
• endpoints rule (all verbs) - auto-created by Kubernetes when a Service is created; never managed directly
• duplicate secrets entry - was listed twice in the same rule
• update verb on all resources - never used; all writes use Server-Side Apply (create + patch)
• watch verb on serviceaccounts - not watched by the controller
• watch verb on rolebindings - not watched by the controller
• watch verb on poddisruptionbudgets - not watched by the controller
• watch verb on listeners - not watched by the controller
• delete verb on jobs - jobs are not tracked for orphan cleanup
• patch verb on supersetclusters - operator only patches the /status subresource, not the main resource
• patch verb on druidconnections - operator only patches the /status subresource, not the main resource
• get, list, watch verbs on druidconnections/status - was bundled with druidconnections; status subresource only needs patch
• get verb on customresourcedefinitions - not needed outside of CRD maintenance; list and watch (now unconditional) cover read access
• nodes list/watch rule - not needed; only nodes/proxy get is required for cluster domain detection

Product ClusterRole rule removals

• configmaps, secrets, serviceaccounts get rule - Superset pods don't need to read these Kubernetes resources
• events.k8s.io events create/patch rule - Superset pods don't emit Kubernetes events

[NickLarsenNZ]

--- PASS: kuttl/harness/smoke_superset-4.1.4_openshift-false (152.46s)
--- PASS: kuttl/harness/oidc_superset-6.0.0_openshift-false (176.53s)
--- PASS: kuttl/harness/oidc_superset-4.1.4_openshift-false (130.01s)
--- PASS: kuttl/harness/cluster-operation_superset-latest-6.0.0_openshift-false (117.32s)
--- PASS: kuttl/harness/logging_superset-6.0.0_openshift-false (115.44s)
--- PASS: kuttl/harness/logging_superset-4.1.4_openshift-false (115.25s)
--- PASS: kuttl/harness/opa_superset-4.1.4_opa-latest-1.12.3_openshift-false (324.50s)
--- PASS: kuttl/harness/opa_superset-6.0.0_opa-latest-1.12.3_openshift-false (335.88s)
--- PASS: kuttl/harness/external-access_superset-4.1.4_openshift-false (88.02s)
--- PASS: kuttl/harness/external-access_superset-6.0.0_openshift-false (90.27s)
--- PASS: kuttl/harness/ldap_superset-6.0.0_ldap-authentication-server-verification-tls_openshift-false (116.52s)
--- PASS: kuttl/harness/ldap_superset-6.0.0_ldap-authentication-no-tls_openshift-false (116.95s)
--- PASS: kuttl/harness/ldap_superset-6.0.0_ldap-authentication-insecure-tls_openshift-false (115.01s)
--- PASS: kuttl/harness/ldap_superset-4.1.4_ldap-authentication-server-verification-tls_openshift-false (112.62s)
--- PASS: kuttl/harness/ldap_superset-4.1.4_ldap-authentication-no-tls_openshift-false (114.44s)
--- PASS: kuttl/harness/ldap_superset-4.1.4_ldap-authentication-insecure-tls_openshift-false (116.15s)
--- PASS: kuttl/harness/resources_superset-latest-6.0.0_openshift-false (75.83s)
--- PASS: kuttl/harness/druid-connection_superset-6.0.0_openshift-false (85.51s)
--- PASS: kuttl/harness/druid-connection_superset-4.1.4_openshift-false (75.58s)
--- PASS: kuttl/harness/smoke_superset-6.0.0_openshift-false (105.70s)

[razvan]

one possible omission

[razvan]

lgtm