chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Permissions removed from operator ClusterRole

Resource	Verbs removed	Reason
pods (core)	all	Operator never manages pods directly; StatefulSets create pods
secrets (core)	all	Operator never creates/manages secrets; DB/TLS/S3 secrets are user-managed and referenced by pods
endpoints (core)	all	Auto-created by Kubernetes from Services; never managed directly
update on all resources	update	SSA uses PATCH (client.apply_patch()); client.update() / api.replace() is never called
watch on serviceaccounts	watch	Not watched via .owns() or .watches() in main.rs
watch on rolebindings	watch	Not watched via .owns() or .watches()
watch on poddisruptionbudgets	watch	Not watched via .owns() or .watches()
watch on listeners	watch	Not watched via .owns() or .watches()
batch/jobs	all	Operator never creates Jobs; delete_orphaned_resources silently skips on 403
patch on hiveclusters	patch	Operator only patches the /status subresource (separate rule); never SSA-applies the main HiveCluster resource