We only want to give the operators cluster permissions for the resources that they'll watch in the MDC namespace (the CRs other than the service installation CR).

Additionally, in the MDC operator, the mobileclient-admin role should be added into the role.yaml rather than being in a separate file.

Also, figure out what to do with the mobile-developer role and rolebinding – should the operator create those, or should those be created first? My thinking is that they should be created separately: the operator doesn't create the namespace, so why should it give system:authenticated extra permissions in there?