chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Operator ClusterRole ({fullname}-clusterrole)

Resource	Before	After	Reason
pods	create delete get list patch update watch	Removed	Operator manages DaemonSets, not Pods directly. No cluster_resources.add(), not watched, not in orphan cleanup. Boilerplate from original template.
secrets	create delete get list patch update watch	Removed	Operator never adds Secrets via cluster_resources.add(). Framework silently skips orphan cleanup on 403.
endpoints	create delete get list patch update watch	Removed	Never managed directly; Kubernetes auto-creates endpoints for Services.
configmaps	create delete get list patch update watch	removed update	SSA uses patch, not update. watch kept because watched via .owns().
services	create delete get list patch update watch	removed update	Same — SSA uses patch.
serviceaccounts	create delete get list patch update watch	removed update, watch	Not watched by the controller. SSA uses patch.
rolebindings	create delete get list patch update watch	removed update, watch	Not watched by the controller. SSA uses patch.
daemonsets	create delete get list patch update watch	removed update	SSA uses patch. watch kept because watched via .owns().
batch/jobs	create get list patch update watch	Removed	Operator never creates Jobs. Jobs are in orphan cleanup list but framework skips on 403. Boilerplate from original template.
opaclusters	get list patch watch	removed patch	Operator only patches /status (covered by the separate opaclusters/status rule). The main resource is never patched.