What RBAC permissions for live apply? Correct values for apiGroups and resources

[WTPascoe]

I am trying to give a user permissions to do kpt live apply

When doing this, an error is returned

Installing inventory ResourceGroup CRD.
error: Type ResourceGroup CRD needs update. Please make sure you have the permission to update CRD then run kpt live install-resource-group.
error installing ResourceGroup crd

If I add a far too broad set of rules to their role, this then succeeds. I'd like to understand what permissions are needed to be able to complete the live apply

- apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

The file that live init has generated and appears to be triggering this error is as follows:

resourcegroup.yaml
apiVersion: kpt.dev/v1alpha1
kind: ResourceGroup
metadata:
  name: inventory-27342774
  namespace:  mynamespace
  labels:
    cli-utils.sigs.k8s.io/inventory-id: somenumbershere

[johnbelamaric]

If the ResourceGroup CRD is not installed, it tries to install it. In that case it would need privileges to add CRDs. My recommendation is that an administrator add the ResourceGroup CRD (for example, with kpt live install-resource-group). After that, the kpt tool itself only needs read on CRDs; since it will find the CRD already installed it will not try to install it again. This usually can be given to ordinary users.

Of course, the user will also need permissions to add the resources in the namespaces that are being applied.