Add a documentation describing the minimal required permissions needed to run Diki on any environment

[georgibaltiev]

How to categorize this PR?

/kind enhancement

What this PR does / why we need it:

This PR updates Diki's documentation by adding a section describing the minimal required permissions for the tool. It also adds two grammar nits on the README page.

Which issue(s) this PR fixes:
Fixes #652

Special notes for your reviewer:

Release note:

A document, describing Diki's minimal required permissions has been added for the end users.

[gardener-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign aleksandarsavchev for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[AleksandarSavchev]

Thanks! I also think we should reference the RBAC files in our usage docs ./docs/usage for DISA STIG and Hardened k8s guide

[AleksandarSavchev]

Suggested change

	- delete
	- get
	- watch
	- delete
	- watch

We should be able to drop get here, since there is another rule that includes pods.

[georgibaltiev]

Agreed.

[AleksandarSavchev]

This specific part is for the garden provider. We should have separate RBAC ClusterRole/Role files for the different providers. Maybe we can place these files in ./example/rbac and reference those files in the doc.

[georgibaltiev]

Agreed. A possible variant to restructure the documentation is proposed here.

[AleksandarSavchev]

Suggested change

	Diki is a "compliance checker" of sorts, or a detective control framework with pluggable rule sets.
	Diki is a "compliance checker" of sorts, a detective control framework with pluggable rule sets.

[AleksandarSavchev]

Suggested change

	In order to complete it's compliance checking, Diki will require permissions to read certain Kubernetes and Gardener resources, as well as to create and deploy `Pods` on the examined `Nodes`.
	In order to complete it's compliance checking, Diki will require permissions to read certain Kubernetes and Gardener resources, as well as to create and deploy `Pods` on the examined cluster.

[dimityrmirchev]

Why is this change better?

[georgibaltiev]

It made more grammatical sense to me personally. I am ok with both variants, so I can revert the suggestion if requested.

[dimityrmirchev]

In general this should be somehow coupled with the ruleset or at least the provider, no? The way it is written in combines multiple providers and permissions from different environments.

[georgibaltiev]

I agree. The different ruleset permissions could be moved to the other ./docs/usage documents.

[AleksandarSavchev]

It would be hard to make them ruleset specific, since we have rulesets implemented for different providers (e.g. DISA is implemented for the gardener, virtualgarden and managedk8s providers).

I would suggest we make at least 2 provider specific (for managedk8s and garden providers) rbac files and place them in ./example/rbac. Then we can reference these files in the ./docs/usage documents.