Currently the service account created for the syncer uses the cluster-admin role. This is problematic because it's more permission than needed and also it means our controller needs to run as admin in order to create the cluster role binding to cluster-admin role. 

We should create a clusterrole with just what is needed. See 
https://github.com/kcp-dev/kcp/blob/main/pkg/cliplugins/workload/plugin/sync.go#L227