chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Explanation

Operator ClusterRole ({fullname}-clusterrole)

Rule	Action	Reason
nodes (list, watch, get)	Removed	The operator never reads Node objects. Cluster domain detection uses nodes/proxy. The topology provider runs in product pods via hdfs-clusterrole-nodes, not the operator. The get was added in bc0d9a9 alongside rack awareness but belongs to the product ClusterRole.
pods	Removed	Operator never creates, reads, lists, or watches pods. Pods are managed by StatefulSets.
secrets	Removed	Operator never creates or manages Secrets. They appear in delete_orphaned_resources() but the operator never add()s them, so orphan cleanup finds nothing (framework silently skips on 403).
endpoints (both occurrences)	Removed	Operator never reads endpoints. The standalone rule was added in bc0d9a9 for rack awareness, but endpoint querying runs in product pods. Kubernetes auto-creates endpoints for Services.
update verb (everywhere)	Removed	All resource creation/update goes through SSA (apply_patch). update = HTTP PUT = api.replace(), which is never called anywhere in the operator source.
watch on serviceaccounts	Removed	Controller does not .own() or .watches() ServiceAccounts.
watch on rolebindings	Removed	Controller does not .own() RoleBindings.
watch on poddisruptionbudgets	Removed	Controller does not .own() PodDisruptionBudgets.
batch/jobs	Removed entirely	Operator never creates Jobs. Boilerplate from the original template.
patch on hdfsclusters	Removed	Operator only patches the /status subresource via client.apply_patch_status(). The main resource is never patched directly.
list on listeners	Removed	Operator never add()s Listeners — they are managed by the listener-operator. Orphan cleanup finds nothing; get alone suffices for namenode_listener_refs.
get, update, list, watch on clusterrolebindings	Removed	The nodes controller patches this ClusterRoleBinding with a single SSA api.patch() call. No prior GET is needed; SSA only requires create + patch.
Comments added	Documentation	Added comments to all rules explaining their purpose.

Product ClusterRole (hdfs-clusterrole)

No rule changes — permissions left as-is per plan guidance for product-level runtime permissions. Added comments explaining the purpose of each resource.

Nodes ClusterRole (hdfs-clusterrole-nodes)

No rule changes. Added comments explaining the topology provider's needs for pods/nodes/endpoints and the listener lookup flow.