docs(platform): document policy rule fields for clusterroletemplate (#1538)

ClusterRoleTemplate API reference shows PolicyRule fields (verbs,
apiGroups, resources, etc.) but the auto-generated reference lacks
descriptions. Users needed to generate YAML via UI to discover valid
values for CI/CD pipelines.

Added explanatory section to the main clusterroletemplate.mdx page
documenting:
- Standard Kubernetes RBAC verbs with descriptions
- Common API groups including vCluster Platform groups
- Complete list of management.loft.sh resources
- Usage of resourceNames and nonResourceURLs

Added to main page rather than auto-generated reference.mdx to ensure
content survives regeneration.

Addresses DOC-1125

Author: Piotr1215

platform/api/resources/clusterroletemplate.mdx

@@ -48,6 +48,83 @@ status: {}
 
 ```
 
+## Policy rules
+
+The `rules` field under `clusterRoleTemplate` defines RBAC permissions using standard Kubernetes PolicyRule objects. Each rule specifies which actions (verbs) are allowed on which resources.
+
+### Verbs
+
+Verbs define the actions allowed on resources. Standard Kubernetes RBAC verbs include:
+
+| Verb | Description |
+|------|-------------|
+| `get` | Retrieve a single resource |
+| `list` | Retrieve a collection of resources |
+| `watch` | Watch for changes to resources |
+| `create` | Create a new resource |
+| `update` | Update an existing resource (replaces the entire object) |
+| `patch` | Partially modify an existing resource |
+| `delete` | Delete a single resource |
+| `deletecollection` | Delete a collection of resources |
+| `*` | Wildcard representing all verbs |
+
+### API groups
+
+API groups define which API the resources belong to. Common API groups include:
+
+| API Group | Description |
+|-----------|-------------|
+| `""` | Core API group (pods, services, configmaps, secrets, namespaces) |
+| `apps` | Deployments, DaemonSets, ReplicaSets, StatefulSets |
+| `batch` | Jobs, CronJobs |
+| `networking.k8s.io` | NetworkPolicies, Ingresses |
+| `rbac.authorization.k8s.io` | Roles, RoleBindings, ClusterRoles, ClusterRoleBindings |
+| `management.loft.sh` | vCluster Platform resources |
+| `storage.loft.sh` | vCluster Platform storage resources |
+| `*` | Wildcard matching all API groups |
+
+### Platform resources
+
+vCluster Platform resources in the `management.loft.sh` API group:
+
+| Resource | Description |
+|----------|-------------|
+| `announcements` | Platform announcements |
+| `apps` | Application configurations |
+| `backups` | Platform backups |
+| `clusteraccesses` | Cluster access permissions |
+| `clusterroletemplates` | Cluster role templates |
+| `clusters` | Connected clusters |
+| `configs` | Platform configuration |
+| `events` | Platform events |
+| `features` | Platform features |
+| `licenses` | Platform licenses |
+| `nodeclaims` | Node claims for auto-provisioning |
+| `nodeenvironments` | Node environment configurations |
+| `nodeproviders` | Node provider configurations |
+| `nodetypes` | Node type definitions |
+| `ownedaccesskeys` | User-owned access keys |
+| `projects` | Projects |
+| `selves` | Current user information |
+| `sharedsecrets` | Shared secrets |
+| `spaceinstances` | Space instances |
+| `spacetemplates` | Space templates |
+| `tasks` | Platform tasks |
+| `teams` | Teams |
+| `users` | Users |
+| `virtualclusterinstances` | Virtual cluster instances |
+| `virtualclustertemplates` | Virtual cluster templates |
+
+Common subresources include `projects/members`, `projects/templates`, `clusters/members`, `virtualclusterinstances/kubeconfig`, and `virtualclusterinstances/log`.
+
+### Resource names
+
+The `resourceNames` field optionally restricts a rule to specific named resources. When empty, the rule applies to all resources of the specified type.
+
+### Non-resource URLs
+
+The `nonResourceURLs` field specifies access to non-resource endpoints like `/healthz`, `/api`, `/apis`, and `/version`. Use `*` as a suffix to match paths (for example, `/healthz/*`).
+
 ## ClusterRoleTemplate reference
 
 <Reference />

platform_versioned_docs/version-4.4.0/api/resources/clusterroletemplate.mdx

@@ -13,17 +13,15 @@ An example ClusterRoleTemplate:
 ```yaml
 apiVersion: management.loft.sh/v1
 kind: ClusterRoleTemplate
-metadata:
-  creationTimestamp: null
+metadata: {}
 spec:
   access:
   - users:
     - '*'
     verbs:
     - get
   clusterRoleTemplate:
-    metadata:
-      creationTimestamp: null
+    metadata: {}
     rules:
     - apiGroups:
       - management.loft.sh/v1
@@ -50,6 +48,83 @@ status: {}
 
 ```
 
+## Policy rules
+
+The `rules` field under `clusterRoleTemplate` defines RBAC permissions using standard Kubernetes PolicyRule objects. Each rule specifies which actions (verbs) are allowed on which resources.
+
+### Verbs
+
+Verbs define the actions allowed on resources. Standard Kubernetes RBAC verbs include:
+
+| Verb | Description |
+|------|-------------|
+| `get` | Retrieve a single resource |
+| `list` | Retrieve a collection of resources |
+| `watch` | Watch for changes to resources |
+| `create` | Create a new resource |
+| `update` | Update an existing resource (replaces the entire object) |
+| `patch` | Partially modify an existing resource |
+| `delete` | Delete a single resource |
+| `deletecollection` | Delete a collection of resources |
+| `*` | Wildcard representing all verbs |
+
+### API groups
+
+API groups define which API the resources belong to. Common API groups include:
+
+| API Group | Description |
+|-----------|-------------|
+| `""` | Core API group (pods, services, configmaps, secrets, namespaces) |
+| `apps` | Deployments, DaemonSets, ReplicaSets, StatefulSets |
+| `batch` | Jobs, CronJobs |
+| `networking.k8s.io` | NetworkPolicies, Ingresses |
+| `rbac.authorization.k8s.io` | Roles, RoleBindings, ClusterRoles, ClusterRoleBindings |
+| `management.loft.sh` | vCluster Platform resources |
+| `storage.loft.sh` | vCluster Platform storage resources |
+| `*` | Wildcard matching all API groups |
+
+### Platform resources
+
+vCluster Platform resources in the `management.loft.sh` API group:
+
+| Resource | Description |
+|----------|-------------|
+| `announcements` | Platform announcements |
+| `apps` | Application configurations |
+| `backups` | Platform backups |
+| `clusteraccesses` | Cluster access permissions |
+| `clusterroletemplates` | Cluster role templates |
+| `clusters` | Connected clusters |
+| `configs` | Platform configuration |
+| `events` | Platform events |
+| `features` | Platform features |
+| `licenses` | Platform licenses |
+| `nodeclaims` | Node claims for auto-provisioning |
+| `nodeenvironments` | Node environment configurations |
+| `nodeproviders` | Node provider configurations |
+| `nodetypes` | Node type definitions |
+| `ownedaccesskeys` | User-owned access keys |
+| `projects` | Projects |
+| `selves` | Current user information |
+| `sharedsecrets` | Shared secrets |
+| `spaceinstances` | Space instances |
+| `spacetemplates` | Space templates |
+| `tasks` | Platform tasks |
+| `teams` | Teams |
+| `users` | Users |
+| `virtualclusterinstances` | Virtual cluster instances |
+| `virtualclustertemplates` | Virtual cluster templates |
+
+Common subresources include `projects/members`, `projects/templates`, `clusters/members`, `virtualclusterinstances/kubeconfig`, and `virtualclusterinstances/log`.
+
+### Resource names
+
+The `resourceNames` field optionally restricts a rule to specific named resources. When empty, the rule applies to all resources of the specified type.
+
+### Non-resource URLs
+
+The `nonResourceURLs` field specifies access to non-resource endpoints like `/healthz`, `/api`, `/apis`, and `/version`. Use `*` as a suffix to match paths (for example, `/healthz/*`).
+
 ## ClusterRoleTemplate reference
 
 <Reference />

platform_versioned_docs/version-4.5.0/api/resources/clusterroletemplate.mdx

@@ -13,17 +13,15 @@ An example ClusterRoleTemplate:
 ```yaml
 apiVersion: management.loft.sh/v1
 kind: ClusterRoleTemplate
-metadata:
-  creationTimestamp: null
+metadata: {}
 spec:
   access:
   - users:
     - '*'
     verbs:
     - get
   clusterRoleTemplate:
-    metadata:
-      creationTimestamp: null
+    metadata: {}
     rules:
     - apiGroups:
       - management.loft.sh/v1
@@ -50,6 +48,83 @@ status: {}
 
 ```
 
+## Policy rules
+
+The `rules` field under `clusterRoleTemplate` defines RBAC permissions using standard Kubernetes PolicyRule objects. Each rule specifies which actions (verbs) are allowed on which resources.
+
+### Verbs
+
+Verbs define the actions allowed on resources. Standard Kubernetes RBAC verbs include:
+
+| Verb | Description |
+|------|-------------|
+| `get` | Retrieve a single resource |
+| `list` | Retrieve a collection of resources |
+| `watch` | Watch for changes to resources |
+| `create` | Create a new resource |
+| `update` | Update an existing resource (replaces the entire object) |
+| `patch` | Partially modify an existing resource |
+| `delete` | Delete a single resource |
+| `deletecollection` | Delete a collection of resources |
+| `*` | Wildcard representing all verbs |
+
+### API groups
+
+API groups define which API the resources belong to. Common API groups include:
+
+| API Group | Description |
+|-----------|-------------|
+| `""` | Core API group (pods, services, configmaps, secrets, namespaces) |
+| `apps` | Deployments, DaemonSets, ReplicaSets, StatefulSets |
+| `batch` | Jobs, CronJobs |
+| `networking.k8s.io` | NetworkPolicies, Ingresses |
+| `rbac.authorization.k8s.io` | Roles, RoleBindings, ClusterRoles, ClusterRoleBindings |
+| `management.loft.sh` | vCluster Platform resources |
+| `storage.loft.sh` | vCluster Platform storage resources |
+| `*` | Wildcard matching all API groups |
+
+### Platform resources
+
+vCluster Platform resources in the `management.loft.sh` API group:
+
+| Resource | Description |
+|----------|-------------|
+| `announcements` | Platform announcements |
+| `apps` | Application configurations |
+| `backups` | Platform backups |
+| `clusteraccesses` | Cluster access permissions |
+| `clusterroletemplates` | Cluster role templates |
+| `clusters` | Connected clusters |
+| `configs` | Platform configuration |
+| `events` | Platform events |
+| `features` | Platform features |
+| `licenses` | Platform licenses |
+| `nodeclaims` | Node claims for auto-provisioning |
+| `nodeenvironments` | Node environment configurations |
+| `nodeproviders` | Node provider configurations |
+| `nodetypes` | Node type definitions |
+| `ownedaccesskeys` | User-owned access keys |
+| `projects` | Projects |
+| `selves` | Current user information |
+| `sharedsecrets` | Shared secrets |
+| `spaceinstances` | Space instances |
+| `spacetemplates` | Space templates |
+| `tasks` | Platform tasks |
+| `teams` | Teams |
+| `users` | Users |
+| `virtualclusterinstances` | Virtual cluster instances |
+| `virtualclustertemplates` | Virtual cluster templates |
+
+Common subresources include `projects/members`, `projects/templates`, `clusters/members`, `virtualclusterinstances/kubeconfig`, and `virtualclusterinstances/log`.
+
+### Resource names
+
+The `resourceNames` field optionally restricts a rule to specific named resources. When empty, the rule applies to all resources of the specified type.
+
+### Non-resource URLs
+
+The `nonResourceURLs` field specifies access to non-resource endpoints like `/healthz`, `/api`, `/apis`, and `/version`. Use `*` as a suffix to match paths (for example, `/healthz/*`).
+
 ## ClusterRoleTemplate reference
 
 <Reference />