What would you like to be added:
It would be nice if the RBAC resources which are created for the karmada-agent when a cluster is joined in pull mode were created by a controller running in the Karmada control plane and not by the karmadactl register command.

Why is this needed:
karmadactl register requires full permissions (through the system:karmada:agent:rbac-generator user) to generate the RBAC resources for the karmada-agent. This means that the bootstrap token which is created to join the cluster can be used to gain full access to the Karmada control plane.
If the RBAC resources were created by a controller on the control plane instead, the access of the bootstrap token could be restricted.