chore: Describe RBAC rules, remove unnecessary rules

[NickLarsenNZ]

Part of stackabletech/issues#798

Note

This was initially generated by a coding assistant to see how well it can inspect code and review the RBAC rules. the changes will be properly checked before reviews are requested.

• Document each rule
• Check the docs make sense. Rewrite where necessary
• Remove unnecessary permissions
• Attach explanations to PR description
• Run all tests
• Split operator and product roles into separate files

Operator ClusterRole ({fullname}-clusterrole)

Rules removed entirely

Resource	Verbs removed	Reason
nodes	list, watch	Boilerplate from operator-templating (4 years old). KubernetesClusterInfo only uses nodes/proxy: get for cluster domain detection — no node listing or watching anywhere in the controller
endpoints	create, delete, get, list, patch, update, watch	Auto-created by Kubernetes for Services; the operator never manages endpoints directly
pods	create, delete, get, list, patch, update, watch	StatefulSets create pods; the operator never manages pods directly in the operator role

update verb removed from all rules

SSA (apply_patch) uses HTTP PATCH, not HTTP PUT. client.update() is never called anywhere in the operator source.

watch removed from resources not watched by the controller

Resource	Reason
serviceaccounts	Applied via cluster_resources.add() + orphan cleanup, but not watched via .owns() or .watches() in main.rs
rolebindings	Same as above
batch/jobs	Same as above
poddisruptionbudgets	Same as above
listeners.stackable.tech/listeners	Same as above — watch was added when the listener operator was integrated but no .owns(Listener) or .watches(Listener) call exists

secrets reduced to get, create

The operator only calls client.get_opt::<Secret>() (to check existence) and client.create() (to generate the sensitive-property key and OIDC admin password). Secrets are never tracked by cluster_resources, so list, delete, patch, update, and watch are all unnecessary.

patch removed from nificlusters

The operator only calls apply_patch_status() on NifiCluster objects, which targets the /status subresource (covered by the separate nificlusters/status: patch rule). The main resource is never patched directly.

get removed from customresourcedefinitions

Not needed for crd maintenance, nor startup condition.

---

Product ClusterRole ({name}-clusterrole)

Remove the configmaps/secrets/serviceaccounts get rule for the product clusterrole. Anything needed is mounted. Anything needed by a NiFi processor should have an explicit role and binding made by the admin of the cluster.

[NickLarsenNZ]

--- PASS: kuttl/harness/external-access_nifi-1.28.1_zookeeper-latest-3.9.4_openshift-false (221.38s)
--- PASS: kuttl/harness/cluster_operation_nifi-latest-2.7.2_openshift-false (150.27s)
--- PASS: kuttl/harness/custom-components-git-sync_nifi-1.28.1_zookeeper-latest-3.9.4_openshift-false (228.57s)
--- PASS: kuttl/harness/custom-components-git-sync_nifi-2.6.0_zookeeper-latest-3.9.4_openshift-false (243.62s)
--- PASS: kuttl/harness/custom-components-git-sync_nifi-2.7.2_zookeeper-latest-3.9.4_openshift-false (215.14s)
--- PASS: kuttl/harness/external-access_nifi-2.6.0_zookeeper-latest-3.9.4_openshift-false (122.89s)
--- PASS: kuttl/harness/external-access_nifi-2.7.2_zookeeper-latest-3.9.4_openshift-false (125.83s)
--- PASS: kuttl/harness/iceberg-hive_nifi-iceberg-hive-2.6.0_zookeeper-latest-3.9.4_opa-l-1.12.3_hdfs-l-3.4.2_hive-l-4.2.0_trino-l-477_krb5-1.21.1_iceberg-use-kerberos-false_kerberos-realm-PROD.MYCORP_openshift-false (364.87s)
--- PASS: kuttl/harness/iceberg-hive_nifi-iceberg-hive-2.6.0_zookeeper-latest-3.9.4_opa-l-1.12.3_hdfs-l-3.4.2_hive-l-4.2.0_trino-l-477_krb5-1.21.1_iceberg-use-kerberos-true_kerberos-realm-PROD.MYCORP_openshift-false (461.33s)
--- PASS: kuttl/harness/iceberg-rest_nifi-iceberg-rest-2.7.2_hive-l-4.2.0_trino-l-477_openshift-false (528.66s)
--- PASS: kuttl/harness/ldap_nifi-1.28.1_zookeeper-latest-3.9.4_ldap-use-tls-false_openshift-false (226.22s)
--- PASS: kuttl/harness/ldap_nifi-1.28.1_zookeeper-latest-3.9.4_ldap-use-tls-true_openshift-false (213.89s)
--- PASS: kuttl/harness/ldap_nifi-2.6.0_zookeeper-latest-3.9.4_ldap-use-tls-false_openshift-false (297.41s)
--- PASS: kuttl/harness/ldap_nifi-2.6.0_zookeeper-latest-3.9.4_ldap-use-tls-true_openshift-false (185.37s)
--- PASS: kuttl/harness/ldap_nifi-2.7.2_zookeeper-latest-3.9.4_ldap-use-tls-false_openshift-false (223.93s)
--- PASS: kuttl/harness/ldap_nifi-2.7.2_zookeeper-latest-3.9.4_ldap-use-tls-true_openshift-false (215.64s)
--- PASS: kuttl/harness/logging_nifi-1.28.1_zookeeper-latest-3.9.4_openshift-false (197.59s)
--- PASS: kuttl/harness/logging_nifi-2.6.0_zookeeper-latest-3.9.4_openshift-false (176.00s)
--- PASS: kuttl/harness/logging_nifi-2.7.2_zookeeper-latest-3.9.4_openshift-false (141.93s)
--- PASS: kuttl/harness/oidc-opa_nifi-1.28.1_zookeeper-latest-3.9.4_opa-l-1.12.3_oidc-use-tls-false_openshift-false (350.76s)
--- PASS: kuttl/harness/oidc-opa_nifi-1.28.1_zookeeper-latest-3.9.4_opa-l-1.12.3_oidc-use-tls-true_openshift-false (358.07s)
--- PASS: kuttl/harness/oidc-opa_nifi-2.6.0_zookeeper-latest-3.9.4_opa-l-1.12.3_oidc-use-tls-false_openshift-false (292.33s)
--- PASS: kuttl/harness/oidc-opa_nifi-2.6.0_zookeeper-latest-3.9.4_opa-l-1.12.3_oidc-use-tls-true_openshift-false (318.99s)
--- PASS: kuttl/harness/oidc-opa_nifi-2.7.2_zookeeper-latest-3.9.4_opa-l-1.12.3_oidc-use-tls-false_openshift-false (304.83s)
--- PASS: kuttl/harness/oidc-opa_nifi-2.7.2_zookeeper-latest-3.9.4_opa-l-1.12.3_oidc-use-tls-true_openshift-false (318.29s)
--- PASS: kuttl/harness/orphaned_resources_nifi-1.28.1_zookeeper-latest-3.9.4_openshift-false (222.31s)
--- PASS: kuttl/harness/orphaned_resources_nifi-2.6.0_zookeeper-latest-3.9.4_openshift-false (105.75s)
--- PASS: kuttl/harness/orphaned_resources_nifi-2.7.2_zookeeper-latest-3.9.4_openshift-false (121.11s)
--- PASS: kuttl/harness/resources_nifi-1.28.1_zookeeper-latest-3.9.4_openshift-false (250.58s)
--- PASS: kuttl/harness/resources_nifi-2.6.0_zookeeper-latest-3.9.4_openshift-false (82.62s)
--- PASS: kuttl/harness/resources_nifi-2.7.2_zookeeper-latest-3.9.4_openshift-false (84.13s)
--- PASS: kuttl/harness/smoke_v1_nifi-v1-1.28.1_zookeeper-3.9.4_openshift-false_listener-class-cluster-internal (373.96s)
--- PASS: kuttl/harness/smoke_v1_nifi-v1-1.28.1_zookeeper-3.9.4_openshift-false_listener-class-external-unstable (259.99s)
--- PASS: kuttl/harness/smoke_v2_nifi-v2-2.6.0_use-zookeeper-manager-false_zookeeper-3.9.4_openshift-false_listener-class-cluster-internal (158.63s)
--- PASS: kuttl/harness/smoke_v2_nifi-v2-2.6.0_use-zookeeper-manager-false_zookeeper-3.9.4_openshift-false_listener-class-external-unstable (170.66s)
--- PASS: kuttl/harness/smoke_v2_nifi-v2-2.6.0_use-zookeeper-manager-true_zookeeper-3.9.4_openshift-false_listener-class-cluster-internal (292.15s)
--- PASS: kuttl/harness/smoke_v2_nifi-v2-2.6.0_use-zookeeper-manager-true_zookeeper-3.9.4_openshift-false_listener-class-external-unstable (293.61s)
--- PASS: kuttl/harness/smoke_v2_nifi-v2-2.7.2_use-zookeeper-manager-false_zookeeper-3.9.4_openshift-false_listener-class-cluster-internal (161.04s)
--- PASS: kuttl/harness/smoke_v2_nifi-v2-2.7.2_use-zookeeper-manager-false_zookeeper-3.9.4_openshift-false_listener-class-external-unstable (171.00s)
--- PASS: kuttl/harness/smoke_v2_nifi-v2-2.7.2_use-zookeeper-manager-true_zookeeper-3.9.4_openshift-false_listener-class-cluster-internal (292.19s)
--- PASS: kuttl/harness/smoke_v2_nifi-v2-2.7.2_use-zookeeper-manager-true_zookeeper-3.9.4_openshift-false_listener-class-external-unstable (292.31s)
--- PASS: kuttl/harness/upgrade_nifi_old-1.28.1_nifi_new-2.7.2_zookeeper-latest-3.9.4_openshift-false (412.00s)