chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Operator ClusterRole ({fullname}-clusterrole) — Removed permissions

Removed	Reason
pods rule	The operator never creates or watches Pods directly. StatefulSets manage pods.
secrets from core resources	The operator never calls cluster_resources.add(secret). The orphan cleanup silently skips on 403.
endpoints from core resources	Auto-created by Kubernetes when a Service is created; never managed directly by the operator.
update verb (everywhere)	All resource creation goes through client.apply_patch() (SSA = HTTP PATCH). update = HTTP PUT = api.replace(), which is never called.
batch/jobs rule	The kafka operator never creates Jobs. This was boilerplate from the shared template.
watch on poddisruptionbudgets	PDBs are applied and orphan-cleaned, but they are not watched by the controller (no .owns() or .watches() in main.rs).
patch on kafkaclusters	The operator only patches the /status subresource (separate rule). There are no client.apply_patch() calls on the primary KafkaCluster object.
list + watch on authenticationclasses	AuthenticationClass is resolved via a direct client.get() call in authorization.rs/security.rs. There is no .watches(AuthenticationClass) in main.rs, so these verbs are unused.