Document solution for reading Node objects

Also a bit of tidying up from other recent cluster-sharing PRs.

Signed-off-by: Mike Spreitzer <mspreitz@us.ibm.com>

Author: MikeSpreitzer

.github/workflows/ci-e2e-openshift.yaml

@@ -908,11 +908,6 @@ jobs:
           kubectl delete namespace "$FMA_NAMESPACE" \
             --ignore-not-found --timeout=120s || true
 
-          # Delete CRDs
-          # TODO: Implement safe CRD lifecycle management for tests (e.g., handle shared clusters,
-          #       concurrent test runs, and version upgrades/downgrades) before enabling CRD deletion.
-          # kubectl delete -f config/crd/ --ignore-not-found || true
-
           echo "Cleanup complete"
 
       - name: Scale down controller on failure

docs/cluster-sharing.md

@@ -23,8 +23,6 @@ object.
 - A ClusterRoleBinding that binds the node-reading ClusterRole to an
   FMA ServiceAccount.
 
-- A ClusterRoleBinding that binds ClusterRole `view` to an FMA ServiceAccount.
-
 - A Namespace that FMA is installed in.
 
 ## Solution for the CustomResourceDefinition Objects
@@ -138,3 +136,21 @@ object.
   ValidatingAdmissionPolicy[Binding] objects.
 
 - The Helm chart does nothing about these policy objects.
+
+## Solution for reading Node objects
+
+- The Helm chart can optionally create a ClusterRoleBinding for a
+  ClusterRole with a given name.
+
+- The Helm chart does nothing about creating the ClusterRole for
+  reading Node objects.
+
+- The admin of a shared cluster has several choices about what to
+  maintain on behalf of users vs. authorize users to do.
+
+- The shared OpenShift cluster that we use for CI and developer
+  testing already authorizes every ServiceAccount to read Node
+  objects. The GHA workflow for E2E testing in the shared OpenShift
+  cluster: (a) does not create/update/delete a ClusterRole for reading
+  Node objects and (b) tells the Helm chart to NOT include the
+  ClusterRoleBinding.