Fail to deploy an addon using addon template

[zhujian7]

Describe the bug
I am trying to use the addon template feature to rewrite the managed-serviceaccount API, which needs to create these permissions on the hub cluster:

but I got error when deploying the addon:

#managedClusterAddon 
    message: |-
      Failed to set permission for hub agent: rolebindings.rbac.authorization.k8s.io "open-cluster-management:managed-serviceaccount:clusterrole:agent" is forbidden: user "system:serviceaccount:open-cluster-management-hub:addon-manager-controller-sa" (groups=["system:serviceaccounts" "system:serviceaccounts:open-cluster-management-hub" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
      {APIGroups:[""], Resources:["configmaps"], Verbs:["*"]}
      {APIGroups:[""], Resources:["secrets"], Verbs:["*"]}
      {APIGroups:["authentication.open-cluster-management.io"], Resources:["managedserviceaccounts"], Verbs:["get" "list" "watch"]}
      {APIGroups:["authentication.open-cluster-management.io"], Resources:["managedserviceaccounts/status"], Verbs:["get" "update" "patch"]}
      {APIGroups:["coordination.k8s.io"], Resources:["leases"], Verbs:["*"]}
    reason: SetPermissionFailed
    status: "False"
    type: RegistrationApplied

To Reproduce
Steps to reproduce the behavior:

Expected behavior
The addon can be deployed successfully. OR some docs explain how to hand this.

Environment ie: OCM version, Kubernetes version and provider:

Additional context
Add any other context about the problem here.

[zhujian7]

Add some doc to explain how to grant permissions for the addon manager to address this issue: open-cluster-management-io/open-cluster-management-io.github.io#373