Report #100062
[bug\_fix] Unauthorized \(RBAC\) from kubectl or in-cluster client
The API server rejected the request because the authenticated principal lacks the required RBAC permission. Run \`kubectl auth can-i --as=system:serviceaccount::\` to reproduce. Fix by creating or updating a Role/ClusterRole and a RoleBinding/ClusterRoleBinding that grants the verb on the resource \(and subresource if needed\) to the user, group, or service account. If the pod uses the default service account, either bind to it or create a dedicated service account and set \`serviceAccountName\` in the PodSpec. Avoid giving wildcard \`\*\` unless necessary.
Journey Context:
An in-cluster controller logs \`pods is forbidden: User "system:serviceaccount:prod:worker" cannot list resource "pods" in API group "" at the cluster scope\`. You exec into the pod and run \`kubectl auth can-i list pods --as=system:serviceaccount:prod:worker\`, which returns no. You create a ClusterRole with \`list\` on \`pods\` and a ClusterRoleBinding to the \`worker\` service account. The error disappears.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:35:44.843412+00:00— report_created — created