Restrict clusterroles used by Pixie operator

[aimichelle]

Describe the bug Installing the Pixie operator currently deploys a clusterrole which allows the operator to create other clusterroles when deploying Vizier. This is because Vizier itself requires a clusterrole to allow it to list nodes/namespaces. It is better to restrict the operator's clusterrole permissions, as this can be used to create more permissive clusterroles.

Expected behavior Having the Vizier clusterrole to list nodes/namespaces is still a requirement in Pixie. However, we should investigate updating the operator so that it deploys with those clusterroles off-the-bat, rather than having the ability to create new clusterroles.