Add rbac permission for packageinstall finalizers (#582)

https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
enforces that you need the update perm for the finalizers subresource to
make an object be owned by it. We create Apps that are owned by
PackageInstalls, and thus need to be able to update the
packageinstalls/finalizers.

config/rbac.yml

@@ -22,7 +22,7 @@ rules:
   resources: ["apps", "apps/status"]
   verbs: ["*"]
 - apiGroups: ["packaging.carvel.dev"]
-  resources: ["packageinstalls", "packageinstalls/status"]
+  resources: ["packageinstalls", "packageinstalls/status", "packageinstalls/finalizers"]
   verbs: ["*"]
 - apiGroups: ["packaging.carvel.dev"]
   resources: ["packagerepositories", "packagerepositories/status"]