chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Permissions removed

API Group	Resource	Verb(s) removed	Reason
"" (core)	configmaps	get, list, watch	Duplicate rule — configmaps was already covered by an earlier rule granting create, patch, get, watch, list
secrets.stackable.tech	truststores	create, patch (conditional)	The operator only reconciles existing TrustStores; it never creates them. Only a default SecretClass is applied at startup, not a default TrustStore

Permissions retained (with justification)

API Group	Resource	Verbs	Reason
apiextensions.k8s.io	customresourcedefinitions	create, patch, list, watch	Maintain CRD and inject generated certificate into conversion webhook. Conditional on maintenance.customResourceDefinitions.maintain.
"" (core)	secrets	get, list, watch, create, patch, update	Read/written by autoTLS (CA secret rotation via kube entry API — replace() = HTTP PUT requires update), kerberosKeytab, k8sSearch, certManager backends and truststore controller
"" (core)	events	get, list, watch, create, patch, update	Required by the external-provisioner sidecar container (same ServiceAccount), which uses the legacy core/v1 events API including update
"" (core)	configmaps	create, patch, get, watch, list	Truststore controller applies ConfigMaps via SSA and watches them via .owns()/.watches(). Also read by autoTLS (additional trust roots) and k8sSearch (trust-store ConfigMap)
"" (core)	persistentvolumes	get, list, watch, patch, create, delete	Managed entirely by the external-provisioner sidecar container, not the operator binary directly
"" (core)	nodes	get, list, watch	CSI node service reads node IPs for certificate SANs; list/watch also needed by the external-provisioner sidecar for topology
"" (core)	persistentvolumeclaims	get, list, watch	CSI controller service reads PVCs during CreateVolume to locate the owning Pod and resolve listener scope; also needed by the external-provisioner sidecar
"" (core)	nodes/proxy	get	Automatic cluster domain detection via the kubelet API
"" (core)	pods	get, patch	CSI controller and node services read pod metadata for secret scope resolution; patched with expiry annotations so the restarter can evict pods before certificates expire
storage.k8s.io	csinodes	get, list, watch	External-provisioner sidecar and node-driver-registrar for topology-aware volume scheduling
storage.k8s.io	storageclasses	get, list, watch	External-provisioner sidecar reads provisioner configuration
secrets.stackable.tech	secretclasses	get, watch, list (+ conditional create, patch)	Watched by the truststore controller via .watches_stream() and read in reconcile(). create/patch (when CRD maintenance is enabled) deploys the default tls SecretClass
secrets.stackable.tech	truststores	get, watch, list	Primary reconciled resource — Controller::new watches this type
listeners.stackable.tech	listenerclasses, listeners, podlisteners	get	Read during volume provisioning to resolve listener-scoped addresses for TLS SANs and topology node pinning
cert-manager.io	certificates	get, patch, create	certManager backend applies Certificates via SSA and reads them back to check topology node affinity
events.k8s.io	events	create, patch	kube-rs controller event recorder (distinct from the legacy core/v1 events used by the external-provisioner)
security.openshift.io	securitycontextconstraints	use	OpenShift only — allows pods to use the operator's SCC (privileged container required for Bidirectional mount propagation)

Notes

• There is a single ClusterRole and ServiceAccount shared between the controller Deployment and the CSI node DaemonSet (including the external-provisioner sidecar). Several permissions are required solely by sidecar containers rather than the operator binary itself.
• update on secrets is non-obvious: the autoTLS CA rotation code uses the kube entry API, which calls replace() (HTTP PUT) on existing entries — Server-Side Apply (patch) is not sufficient here.
• update on events (core v1) is for the external-provisioner sidecar, not the operator. The operator uses events.k8s.io exclusively.