Remove hard-coded and extensive ClusterRoles for `compliance-operator` and `api-resource-collector`

[JAORMX]

Context

These were originally added as they seemed to be a mechanism to grant permissions to the multiple resources the Compliance Operator needs to access. With every new resource type that's supported in the content, we have to update deploy/roles.yaml, and keep these in sync.

This enforces a dependency on the content version and the operator version. As older operator versions are not able to support newer content with new resources.

Proposal

Let's remove these extensive roles and instead use impersonation to do the task we need [1] [2].

With this, the compliance-operator would need to impersonate cluster-admin for remediations, while the api-resource-collector would impersonate cluster-reader for accessing resources.

This has the added benefit that we would be able to remove remediation privileges in an easier manner, by simply removing the ability to impersonate from the compliance-operator service account.

References

[1] https://techbloc.net/archives/4421 [2] https://johnharris.io/2019/08/least-privilege-in-kubernetes-using-impersonation/