update readme with description on venona's require RBAC from k8s cluster

Oleg Sucharevich · Oleg Sucharevich · commit 2d0fef694827 · 2019-01-14T17:29:30.000+02:00
diff --git a/README.md b/README.md
@@ -15,19 +15,17 @@
 
 ### Install venona
 
-#### Fresh installation
 * Download [venona's](https://github.com/codefresh-io/venona/releases) binary
   * With homebrew: 
     * `brew tap codefresh-io/venona`
     * `brew install venona`
 * Create namespace where venona should run<br />
-Example: `kubectl create namespace codefresh-runtime`
+  > `kubectl create namespace codefresh-runtime`
 * Create *new* runtime-environment with Venona's agents installed <br />
-Example: `venona install --kube-namespace codefresh-runtime`
+  > `venona install --kube-namespace codefresh-runtime`
 * Get the status <br />
-Example: `venona status`  
-Example: `kubectl get pods -n codefresh-runtime`
-
+  > `venona status`  
+  > `kubectl get pods -n codefresh-runtime`
 
 #### Install on cluster version < 1.10
 Venona's agent is trying to load avaliables apis using api `/openapi/v2` endpoint
@@ -46,14 +44,25 @@ rules:
   - get
 ```
 
-
-
-
-
-
 #### Install on GCP
   * Make sure your user has `Kubernetes Engine Cluster Admin` role in google console
-  * Bind your user with cluster-admin kubernetes clusterrole `kubectl create clusterrolebinding NAME --clusterrole cluster-admin --user YOUR_USER`
+  * Bind your user with cluster-admin kubernetes clusterrole
+    > `kubectl create clusterrolebinding NAME --clusterrole cluster-admin --user YOUR_USER`
+
+#### Kubernetes RBAC
+Installation of Venona on Kubernetes cluster installing 2 groups of objects,
+Each one has own RBAC needs and therefore, created roles(and cluster-roles)
+The resource descriptors are avaliable [here](https://github.com/codefresh-io/venona/tree/master/venonactl/templates/kubernetes)
+List of the resources that will be created
+* Agent (grouped by `/.*.venona.yaml/`)
+  * `service-account.venona.yaml` - The service account that the agent's pod will use at the end
+  * `cluster-role-binding.venona.yaml` - The agent discovering K8S apis by calling to `openapi/v2`, this ClusterRoleBinding binds  bootstraped ClusterRole by Kubernetes `system:discovery` to `service-account.venona.yaml`. This role has only permissions to make a GET calls to non resources urls
+  * `role.venona.yaml` - Allow to GET, CREATE and DELETE pods and persistentvolumeclaims
+  * `role-binding.venona.yaml` - The agent is spinning up pods and pvc, this biniding binds `role.venona.yaml` to `service-account.venona.yaml`
+* Runtime-environment (grouped by `/.*.re.yaml/`) Kubernetes controller that spins up all required resources to provide a good caching expirience during pipeline execution
+  * `service-account.dind-volume-provisioner.re.yaml` - The service account that the controller will use
+  * `cluster-role.dind-volume-provisioner.re.yaml` Defines all the permission needed for the controller to operate correctly
+  * `cluster-role-binding.dind-volume-provisioner.yaml` - Binds the ClusterRole to `service-account.dind-volume-provisioner.re.yaml`
 
 #### Upgrade
 To upgrade existing runtime-environment, a one that was created without Venona's agent, run:
