Workload cluster CAPI resources backup fail on capm3

Summary

The backup of capi resources fail on capm3 because of missing rights on metal3 resources

Steps to reproduce

run the backup-capi-resources cronjob whith at least one workload cluster on capm3.

Relevant logs and/or screenshots

Error: failed to get object graph: failed to discover the object graph: action failed after 9 attempts: failed to list "metal3.io/v1alpha1, Kind=BMCEventSubscription" resources: bmceventsubscriptions.metal3.io is forbidden: User "system:serviceaccount:sylva-system:backup-capi-resources-sa" cannot list resource "bmceventsubscriptions" in API group "metal3.io" in the namespace "kubeadm-capm3-virt"

Possible fixes

Capi aggregated roles do not grant on providers specific resources.

To know the resources we need to access from clusterctl, you can run the following command on a running cluster (or look at the CRDs deployed with the provider):

kubectl get crd -o yaml | yq eval '[.items[] | select(.metadata.labels."clusterctl.cluster.x-k8s.io" == "") | {"group": .spec.group, "name": .spec.names.plural}] | map(select(.group != "infrastructure.cluster.x-k8s.io" and .group != "controlplane.cluster.x-k8s.io" and .group != "bootstrap.cluster.x-k8s.io" and .group != "addons.cluster.x-k8s.io")) | sort_by(.group) | group_by(.group) | (.[] | {"apiGroups": [.[0].group], "resources": map(.name)} )'