🐛 fix: Add documented RBAC prerequisites to test template

Add bind and escalate verbs to test RBAC template to comply with documented
prerequisites in docs/concepts/permission-model.md.

These verbs are REQUIRED per our documentation for installer ServiceAccounts
that install operators with their own RBAC.

The missing prerequisites were exposed by the rbac-escalation e2e test, which
uses an operator requiring permissions the test SA doesn't have (storage.k8s.io,
scheduling.k8s.io). Without bind/escalate verbs, Kubernetes rejects the
ClusterRoleBinding creation with escalation prevention errors.

Previous tests passed because they only used test-operator, which has minimal
RBAC (tokenreviews, subjectaccessreviews) that the test SA coincidentally
already has. This created false confidence and hid the incomplete RBAC template.

Fixes: rbac-escalation e2e test
Aligns: test template with docs/concepts/permission-model.md
See: https://github.com/operator-framework/operator-controller/actions/runs/20920337864/job/60103970542?pr=2441

Author: camilamacedo86

test/e2e/steps/testdata/rbac-template.yaml

@@ -50,7 +50,11 @@ rules:
       - roles
       - clusterrolebindings
       - rolebindings
-    verbs: [ update, create, list, watch, get, delete, patch ]
+    # The bind and escalate verbs allow the ServiceAccount to create role bindings
+    # for roles it doesn't have and grant permissions beyond its own. This is required
+    # because extension bundles contain their own RBAC that must be created.
+    # See docs/concepts/permission-model.md for details on these requirements.
+    verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: [ update, create, list, watch, get, delete, patch ]