ClusterRoles that utilize AggregationRule are often defined without any direct rules. Instead, their permissions are aggregated from other ClusterRoles that match the specified label selector.

However, the current permission generator logic only includes rules from ClusterRoles that are explicitly bound to ServiceAccounts via ClusterRoleBinding. As a result, ClusterRoles using AggregationRule are ignored, leading to incomplete or empty permission bundles.

Impact:
Deployments relying on aggregated ClusterRoles may not receive the required permissions, requring a lot of manual work to copy and paste required permissions from number of ClusterRoles.

Expected Behavior:
The generator should recognize and correctly include rules from ClusterRoles using AggregationRule, by resolving and aggregating the matching ClusterRoles.