Add clusterrolebinding for listing nodes

[bliemli]

This is somewhat strange. There's already a RoleBinding (note: not a ClusterRoleBinding which it should be) that references the ClusterRole cluster-admin`, but this obviously doesn't work as it's e.g. not possible to list nodes. At the same time I'm wondering why users of the webshell should have cluster-admin permissions.

If there's an agreement that we can just add the needed permissions to a separate ClusterRole we should do that instead of giving cluster-admin as a ClusterRoleBinding and remove these cluster-admin references alltogether.

[splattner]

I'm gonna address this in #9 and therefore close this

[splattner]

I think what we need is the admin ClusterRole and not cluster-admin ClusterRole: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

But it is also possible to use the cluster-admin ClusterRole in a (namespaced) Rolebinding as stated in the linked kubernetes doc arcticle.
When used in a RoleBinding, it gives full control over every resource in the role binding's namespace, including the namespace itself.

[bliemli]

The default ServiceAccount doesn't even need admin permissions inside its own namespace as it doesn't have to create RoleBindings. But we require certain permissions in other namespaces such as ArgoCD applications inside the argocd namespace.

So my suggestion would be to remove everything not needed permission-wise and only add what we need in specific ClusterRoles/Roles and ClusterRoleBindings/RoleBindings.

[splattner]

I created an Issue for Tracking and followup