Constant BINDY_ADMIN_ROLE_YAML 

pub const BINDY_ADMIN_ROLE_YAML: &str = "# Copyright (c) 2025 Erick Bourgeois, firestoned\n# SPDX-License-Identifier: MIT\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n  name: bindy-admin-role\n  labels:\n    app.kubernetes.io/name: bindy\n    app.kubernetes.io/component: rbac\n    app.kubernetes.io/role: admin\n  annotations:\n    description: \"Admin role for destructive operations - DO NOT bind to ServiceAccount\"\n    # Trivy suppressions - see inline justifications at affected rules\n    trivy.aquasecurity.com/ignore: KSV-0041,KSV-0056\nrules:\n  # ADMIN ONLY: Delete permissions for Bindy CRDs\n  # This role should be bound to human administrators, NOT the operator ServiceAccount\n  # Usage: kubectl create rolebinding ... --clusterrole=bindy-admin-role --user=admin@example.com\n\n  # Bind9Instance - admin delete permission\n  - apiGroups: [\"bindy.firestoned.io\"]\n    resources: [\"bind9instances\"]\n    verbs: [\"delete\", \"deletecollection\"]\n\n  # Bind9Cluster - admin delete permission\n  - apiGroups: [\"bindy.firestoned.io\"]\n    resources: [\"bind9clusters\"]\n    verbs: [\"delete\", \"deletecollection\"]\n\n  # ClusterBind9Provider - admin delete permission\n  - apiGroups: [\"bindy.firestoned.io\"]\n    resources: [\"clusterbind9providers\"]\n    verbs: [\"delete\", \"deletecollection\"]\n\n  # DNSZone - admin delete permission\n  - apiGroups: [\"bindy.firestoned.io\"]\n    resources: [\"dnszones\"]\n    verbs: [\"delete\", \"deletecollection\"]\n\n  # DNS Records - admin delete permission\n  - apiGroups: [\"bindy.firestoned.io\"]\n    resources:\n      - \"arecords\"\n      - \"aaaarecords\"\n      - \"txtrecords\"\n      - \"cnamerecords\"\n      - \"mxrecords\"\n      - \"nsrecords\"\n      - \"srvrecords\"\n      - \"caarecords\"\n    verbs: [\"delete\", \"deletecollection\"]\n\n  # Kubernetes resources - admin delete permission\n  - apiGroups: [\"apps\"]\n    resources: [\"deployments\"]\n    verbs: [\"delete\"]\n\n  # trivy:ignore:KSV-0056\n  # Suppression Justification (KSV-0056 - Services Delete):\n  #   ADMIN ROLE - Intentionally grants delete permissions for emergency operations.\n  #   Mitigation Strategy:\n  #     1. NOT bound to operator ServiceAccount - human administrators only\n  #     2. Requires explicit RoleBinding by cluster administrator\n  #     3. Audit logging captures all delete operations (PCI-DSS 10.2)\n  #     4. Namespace-scoped via RoleBinding - cannot delete services cluster-wide\n  #   Usage: kubectl create rolebinding bindy-admin --clusterrole=bindy-admin-role --user=admin@example.com\n  - apiGroups: [\"\"]\n    resources: [\"services\", \"configmaps\", \"serviceaccounts\"]\n    verbs: [\"delete\"]\n\n  # Secrets - admin delete permission (CRITICAL: use with extreme caution)\n  # trivy:ignore:KSV-0041\n  # Suppression Justification (KSV-0041 - Secrets Delete):\n  #   ADMIN ROLE - Intentionally grants delete permissions for emergency secret cleanup.\n  #   Mitigation Strategy:\n  #     1. NOT bound to operator ServiceAccount - human administrators only\n  #     2. Requires explicit RoleBinding by cluster administrator\n  #     3. Delete-only - no read/list/watch permissions (minimal exposure)\n  #     4. Audit logging captures all secret operations (PCI-DSS 10.2.7)\n  #     5. Namespace-scoped via RoleBinding - cannot delete secrets cluster-wide\n  #   Risk Acceptance: Admin role for break-glass scenarios (e.g., compromised RNDC keys).\n  #   Usage: kubectl create rolebinding bindy-admin --clusterrole=bindy-admin-role --user=admin@example.com\n  - apiGroups: [\"\"]\n    resources: [\"secrets\"]\n    verbs: [\"delete\"]\n";