Description of problem: virtualmachineclones.clone.kubevirt.io and virtualmachineexports.export.kubevirt.io are not part of system:cluster-readers group

Version-Release number of selected component (if applicable):
4.12.0-628

How reproducible:
100%

Steps to Reproduce:
1. Run "oc adm policy who-can get <crd_name>"
2.
3.

Actual results:
===================
[cloud-user@ocp-psi-executor ~]$ oc adm policy who-can get virtualmachineclones.clone.kubevirt.io
resourceaccessreviewresponse.authorization.openshift.io/<unknown>

Namespace: default
Verb: get
Resource: virtualmachineclones.clone.kubevirt.io

Users: system:admin
system:serviceaccount:kube-system:generic-garbage-collector
system:serviceaccount:kube-system:namespace-controller
system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
system:serviceaccount:openshift-authentication-operator:authentication-operator
system:serviceaccount:openshift-authentication:oauth-openshift
system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
system:serviceaccount:openshift-cluster-version:default
system:serviceaccount:openshift-cnv:cluster-network-addons-operator
system:serviceaccount:openshift-cnv:kubevirt-controller
system:serviceaccount:openshift-cnv:kubevirt-operator
system:serviceaccount:openshift-config-operator:openshift-config-operator
system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
system:serviceaccount:openshift-etcd-operator:etcd-operator
system:serviceaccount:openshift-etcd:installer-sa
system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
system:serviceaccount:openshift-kube-apiserver:installer-sa
system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
system:serviceaccount:openshift-kube-controller-manager:installer-sa
system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
system:serviceaccount:openshift-kube-scheduler:installer-sa
system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
system:serviceaccount:openshift-machine-config-operator:default
system:serviceaccount:openshift-network-operator:default
system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
system:serviceaccount:openshift-service-ca-operator:service-ca-operator
system:serviceaccount:recycle-pvs:recycle-pvs-sa
Groups: system:cluster-admins
system:masters

[cloud-user@ocp-psi-executor ~]$
cloud-user@ocp-psi-executor ~]$ oc adm policy who-can get virtualmachineexports.export.kubevirt.io
resourceaccessreviewresponse.authorization.openshift.io/<unknown>

Namespace: default
Verb: get
Resource: virtualmachineexports.export.kubevirt.io

Users: system:admin
system:serviceaccount:kube-system:generic-garbage-collector
system:serviceaccount:kube-system:namespace-controller
system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
system:serviceaccount:openshift-authentication-operator:authentication-operator
system:serviceaccount:openshift-authentication:oauth-openshift
system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
system:serviceaccount:openshift-cluster-version:default
system:serviceaccount:openshift-cnv:cluster-network-addons-operator
system:serviceaccount:openshift-cnv:kubevirt-controller
system:serviceaccount:openshift-cnv:kubevirt-exportproxy
system:serviceaccount:openshift-cnv:kubevirt-operator
system:serviceaccount:openshift-config-operator:openshift-config-operator
system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
system:serviceaccount:openshift-etcd-operator:etcd-operator
system:serviceaccount:openshift-etcd:installer-sa
system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
system:serviceaccount:openshift-kube-apiserver:installer-sa
system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
system:serviceaccount:openshift-kube-controller-manager:installer-sa
system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
system:serviceaccount:openshift-kube-scheduler:installer-sa
system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
system:serviceaccount:openshift-machine-config-operator:default
system:serviceaccount:openshift-network-operator:default
system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
system:serviceaccount:openshift-service-ca-operator:service-ca-operator
system:serviceaccount:recycle-pvs:recycle-pvs-sa
Groups: system:cluster-admins
system:masters

[cloud-user@ocp-psi-executor ~]$

Expected results:
Both the command output should list system:cluster-readers group

Additional info: