Report #100532
[bug\_fix] RBAC Unauthorized \(forbidden\) for a ServiceAccount
Run \`kubectl auth can-i --as=system:serviceaccount::\` to reproduce the denial. Create a Role \(for namespaced resources\) or ClusterRole \(for cluster-scoped resources\) with the required apiGroups/resources/verbs, then bind it to the ServiceAccount with a RoleBinding or ClusterRoleBinding. Apply the manifest and re-run the can-i check.
Journey Context:
A CI-deployed operator Pod was logging \`User "system:serviceaccount:operators:my-operator" cannot list resource "deployments" in API group "apps" at the cluster scope\`. The developer first tried adding the service account to the \`cluster-admin\` ClusterRoleBinding, which worked but violated the least-privilege policy. Using \`kubectl auth can-i list deployments --as=system:serviceaccount:operators:my-operator -n operators\` confirmed the denial. The real fix was to create a ClusterRole that granted \`get\`, \`list\`, and \`watch\` on \`deployments\`, and a ClusterRoleBinding attaching it to the \`my-operator\` service account. After applying the binding, the operator started reconciling resources without excess permissions.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:40:08.241053+00:00— report_created — created