chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Removed permissions

Resource	Verbs removed	Reason
nodes (core)	list, watch (entire rule removed)	Leftover boilerplate; only nodes/proxy GET is needed for cluster domain detection
pods (core)	entire entry removed	Pods are created by StatefulSets, never directly by the operator
secrets (core)	entire entry removed	Secrets are mounted by secret-operator; the operator never reads or creates Secrets directly
endpoints (core)	entire entry removed	Auto-created by Kubernetes for Services; never directly managed
batch/jobs	entire rule removed	The operator never creates Jobs (was boilerplate)
update	removed from all rules	SSA uses patch; no client.update() or api.replace() calls exist anywhere
watch on serviceaccounts	removed	Not registered with .owns() or .watches()
watch on rolebindings	removed	Not registered with .owns() or .watches()
watch on poddisruptionbudgets	removed	Not registered with .owns() or .watches()
watch on listeners	removed	Not registered with .owns() or .watches()

Split rule

zookeeperclusters and zookeeperznodes are now in separate rules:

Resource	Verbs	Reason
zookeeperclusters	get, list, watch	No finalizer, no direct patch needed on the main object
zookeeperznodes	get, list, watch, patch	patch required because the znode controller adds/removes a finalizer

Added comments

Every rule now has a comment explaining why it exists.