[Enhancement] Generate documentation should warn about syncing a secret in an Excluded namespace

[eitah]

Description

https://kyverno.io/docs/writing-policies/generate/#clone-examples does not mention that excluded namespaces for clone secrets are unable to sync properly. This is an issue because we copied the sync secrets policy expecting that the match and exclude blocks were unrelated to the clone fields. In fact, the clone needs to be in an allowed namespace for the trigger in order for the sync feature to work.

Stemming from bug report here: kyverno/policies#1056

Slack discussion

kyverno/policies#1056

[welcome]

Thanks for opening your first issue here! Be sure to follow the issue template!

[eitah]

It's already called out somewhat here https://kyverno.io/docs/troubleshooting/
but I'd like to make the association more direct

Check and ensure you aren’t creating a resource that is either excluded from Kyverno’s processing by default, or that it hasn’t been created in an excluded Namespace. Kyverno uses a ConfigMap by default called kyverno in the Kyverno Namespace to filter out some of these things. The key name is resourceFilters and more details can be found here.