Add HEP-related RBAC for policy recommendation (#4594)

The host endpoint policy recommendation engine needs access to
stagedglobalnetworkpolicies, globalnetworkpolicies, and hostendpoints
resources (including their tier-scoped variants) to create and manage
recommended policies for non-cluster hosts.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: xiumozhan

pkg/render/policyrecommendation.go

@@ -155,7 +155,12 @@ func (pr *policyRecommendationComponent) clusterRole() client.Object {
 				"tier.stagednetworkpolicies",
 				"networkpolicies",
 				"tier.networkpolicies",
+				"stagedglobalnetworkpolicies",
+				"tier.stagedglobalnetworkpolicies",
+				"globalnetworkpolicies",
+				"tier.globalnetworkpolicies",
 				"globalnetworksets",
+				"hostendpoints",
 			},
 			Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"},
 		},

pkg/render/policyrecommendation_test.go

@@ -151,7 +151,12 @@ var _ = Describe("Policy recommendation rendering tests", func() {
 					"tier.stagednetworkpolicies",
 					"networkpolicies",
 					"tier.networkpolicies",
+					"stagedglobalnetworkpolicies",
+					"tier.stagedglobalnetworkpolicies",
+					"globalnetworkpolicies",
+					"tier.globalnetworkpolicies",
 					"globalnetworksets",
+					"hostendpoints",
 				},
 				Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"},
 			},