Add watch permission for pods in UI (#2110)

The collector metrics package in the UI backend uses a watch for the
collector pods.
Initially, it had `watch` permission for pods but somewhere it got
reverted which resulted in the error:
```
Collector metrics: Error running delete watcher: unknown (get pods)
```

cli/cmd/resources/README.md

@@ -32,7 +32,8 @@ In this doc, we'll keep track of the permissions requested across different reso
 | Collector    | ""        | endpoints                                                                  | get, list, watch                                | Needed for load balancer.                                                             |
 | Collector    | policy    | podsecuritypolicies                                                        | use                                             | Supports clients enabling pod security policies (optional).                           |
 | UI           | ""        | namespaces                                                                 | get, list, patch                                | Required to retrieve and modify namespace configurations during instrumentation.      |
-| UI           | ""        | services, pods                                                             | get, list                                       | Required for discovering potential destinations and describing application workloads. |
+| UI           | ""        | services                                                                   | get, list                                       | Required for discovering potential destinations and describing application workloads. |
+| UI           | ""        | pods                                                                       | get, list, watch                                | Required for discovering potential destinations and describing application workloads, and for updating collector metrics.  |
 | UI           | apps      | deployments, statefulsets, daemonsets                                      | get, list, patch, update                        | Needed for application instrumentation.                                               |
 | UI           | apps      | replicasets                                                                | get, list                                       | Used for describing source and application configurations.                            |
 | UI           | odigos.io | instrumentedapplications, instrumentationinstances, instrumentationconfigs | get, list, watch                                | Used to retrieve and monitor instrumented applications and configurations.            |

cli/cmd/resources/ui.go

@@ -225,11 +225,16 @@ func NewUIClusterRole() *rbacv1.ClusterRole {
 				Verbs:     []string{"get", "list"},
 			},
 			{ // Need "services" for "Potential Destinations"
-				// Need "pods" for "Describe Source"
 				APIGroups: []string{""},
-				Resources: []string{"services", "pods"},
+				Resources: []string{"services"},
 				Verbs:     []string{"get", "list"},
 			},
+			{ // Need "pods" for "Describe Source"
+			  // for collector metrics - watch and list collectors pods
+				APIGroups: []string{""},
+				Resources: []string{"pods"},
+				Verbs:     []string{"get", "list", "watch"},
+			},
 			{ // Needed to read Odigos entities
 				APIGroups: []string{"odigos.io"},
 				Resources: []string{"instrumentedapplications", "instrumentationinstances", "instrumentationconfigs"},

helm/odigos/templates/ui/clusterrole.yaml

@@ -33,10 +33,17 @@ rules:
       - ''
     resources:
       - services
+    verbs:
+      - get
+      - list
+  - apiGroups:
+      - ''
+    resources:
       - pods
     verbs:
       - get
       - list
+      - watch
   - apiGroups:
       - odigos.io
     resources: