[Fleet] Remove unsupported privileges from Fleet in serverless

[kpollich]

Fleet is currently referencing two cluster privileges that aren't supported in serverless. Soon, these privileges will be removed entirely and will result in validation errors in API requests. We should remove these privileges when Kibana is running in serverless mode.

• manage_service_account - We don't support enrolling self-hosted Fleet Servers on serverless, and users will always use the hosted Fleet Server provided by Fleet Service. So, this can be removed.
• read_cross_cluster - Right now, this privilege is specified in Fleet's data stream permissions. Cross cluster search is not supported in serverless, so this should be moved.

kibana/x-pack/plugins/fleet/server/services/package_policy.ts

Lines 174 to 181 in f21d6e4

	export const DATA_STREAM_ALLOWED_INDEX_PRIVILEGES = new Set([
	'auto_configure',
	'create_doc',
	'maintenance',
	'monitor',
	'read',
	'read_cross_cluster',
	]);

kibana/x-pack/plugins/fleet/server/routes/app/index.ts

Lines 63 to 68 in f21d6e4

	// check the manage_service_account cluster privilege
	else if (request.query.fleetServerSetup) {
	const esClient = (await context.core).elasticsearch.client.asCurrentUser;
	const { has_all_requested: hasAllPrivileges } = await esClient.security.hasPrivileges({
	body: { cluster: ['manage_service_account'] },
	});

We should be able to add a conditional check to determine whether Kibana is running in serverless mode before referencing these specific privileges.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)