diff --git a/charts/karmada/templates/karmada-resource-clusterrole.yaml b/charts/karmada/templates/_karmada-clusterrole.tpl
similarity index 98%
rename from charts/karmada/templates/karmada-resource-clusterrole.yaml
rename to charts/karmada/templates/_karmada-clusterrole.tpl
index 89db9adb7..01a7fda74 100644
--- a/charts/karmada/templates/karmada-resource-clusterrole.yaml
+++ b/charts/karmada/templates/_karmada-clusterrole.tpl
@@ -1,3 +1,4 @@
+{{- define "karmada.clusterrole" -}}
 # This configuration is used to grant the admin clusterrole read
 # and write permissions for Karmada resources.
 
@@ -147,3 +148,4 @@ rules:
       - deletecollection
       - patch
       - update
+{{- end -}}
diff --git a/charts/karmada/templates/pre-install-job.yaml b/charts/karmada/templates/pre-install-job.yaml
index 70f1b0565..3d4c2d002 100644
--- a/charts/karmada/templates/pre-install-job.yaml
+++ b/charts/karmada/templates/pre-install-job.yaml
@@ -135,7 +135,8 @@ data:
     {{- include "karmada.proxyRbac" . | nindent 8 }}
   {{- print "bootstrap-token-configuration.yaml: " | nindent 6 }} |-
     {{- include "karmada.bootstrapToken.configuration" . | nindent 8 }}
-
+  {{- print "clusterrole.yaml: " | nindent 6 }} |-
+    {{- include "karmada.clusterrole" . | nindent 8 }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -242,6 +243,8 @@ data:
         {{- include "karmada.proxyRbac" . | nindent 8 }}
       {{- print "bootstrap-token-configuration.yaml: " | nindent 6 }} |-
         {{- include "karmada.bootstrapToken.configuration" . | nindent 8 }}
+      {{- print "clusterrole.yaml: " | nindent 6 }} |-
+        {{- include "karmada.clusterrole" . | nindent 8 }}
   crds-patches-configmaps.yaml: |-
     apiVersion: v1
     kind: ConfigMap
diff --git a/charts/karmada/values.yaml b/charts/karmada/values.yaml
index 0cd9e110c..ffd2e42c2 100644
--- a/charts/karmada/values.yaml
+++ b/charts/karmada/values.yaml
@@ -526,7 +526,7 @@ kubeControllerManager:
     rollingUpdate:
       maxUnavailable: 0
       maxSurge: 50%
-  controllers: namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning
+  controllers: namespace,garbagecollector,serviceaccount-token,ttl-after-finished,bootstrapsigner,tokencleaner,csrapproving,csrcleaner,csrsigning,clusterrole-aggregation
   ## @param apiServer.podDisruptionBudget
   podDisruptionBudget: *podDisruptionBudget