update documentation for kyverno role

documentation/installation.md

@@ -81,7 +81,45 @@ Secret | Data | Content
 
 Kyverno uses secrets created above to setup TLS communication with the kube-apiserver and specify the CA bundle to be used to validate the webhook server's certificate in the admission webhook configurations.
 
-### 3. Install Kyverno
+### 3. Configure Kyverno Role
+Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to ClusterRole `kyvernoRole`, which defines the default resources and operations that are permitted.
+
+The `generate` rule creates a new resource, and to allow kyverno to create resource kyverno ClusterRole needs access to them. This can be done by adding the resource to default ClusterRole used by kyverno or by creating a new ClusterRole and a ClusterRoleBinding to kyverno's default ServiceAccount.
+
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: kyvernoRoleGenerate
+rules:
+- apiGroups:
+  - "*"
+  resources:
+  - ResourceA # new Resource to be generated
+  - ResourceB
+  verbs:
+  - create # generate new resources
+  - get # check the contents of exiting resources
+  - update # update existing resource, if required configuration defined in policy is not present
+  - delete # clean-up, if the generate trigger resource is deleted
+```
+```yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kyverno-admin-generate
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyvernoRoleGenerate # clusterRole defined above, to manage generated resources
+subjects:
+- kind: ServiceAccount
+  name: kyverno-service-account # default kyverno serviceAccount
+  namespace: kyverno
+```
+
+### 4. Install Kyverno
 
 To install a specific version, change the image tag with git tag in `install.yaml`.