chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Removed permissions

Resource	Verbs removed	Reason
nodes	get, list, watch	Cluster domain detection uses only nodes/proxy. The node name comes from the downward API env var; kubelet.rs makes a single direct GET to /api/v1/nodes/{name}/proxy/configz. No listing or watching of nodes is required.
pods	get	The pod restart controller uses Controller::new() on PartialObjectMeta<Pod>, which needs only list+watch internally. No individual get calls are made.
configmaps	get	The StatefulSet restart controller uses metadata_watcher, which needs only list+watch. No individual get calls are made.
secrets	get	Same as configmaps above.
statefulsets	get	StatefulSets are observed via a reflector backed by watcher (list+watch) and patched via Server-Side Apply (patch). SSA does not require a preceding get.

Retained permissions

Resource	Verbs	Reason
pods	list, watch	Pod restart controller — Controller::new() on PartialObjectMeta<Pod> uses list+watch internally.
configmaps	list, watch	StatefulSet restart controller — metadata_watcher for ConfigMaps uses list+watch.
secrets	list, watch	StatefulSet restart controller — metadata_watcher for Secrets uses list+watch.
nodes/proxy	get	Cluster domain detection: operator-rs proxies to the kubelet /configz endpoint on the operator's own node to read clusterDomain.
statefulsets	list, watch	StatefulSet restart controller watches for StatefulSets labelled restarter.stackable.tech/enabled=true.
statefulsets	patch	StatefulSet restart controller patches pod template annotations via Server-Side Apply to trigger rolling restarts.
events.k8s.io/events	create, patch	Event reporting via Recorder/report_controller_reconciled in both the StatefulSet and Pod restart controllers.
pods/eviction	create	Pod restart controller calls pods.evict() when a restarter.stackable.tech/expires-at.* annotation timestamp is reached.
admissionregistration.k8s.io/mutatingwebhookconfigurations	create, patch	Webhook server manages its own MutatingWebhookConfiguration via Server-Side Apply, injecting the generated CA certificate.
apiextensions.k8s.io/customresourcedefinitions	get, create, patch	Conversion webhook maintains the CRDs for AuthenticationClass, S3Connection, and S3Bucket, injecting the generated CA certificate. get is retained as the framework reads the existing CRD before patching. Conditional on maintenance.customResourceDefinitions.maintain.