Report #101475
[bug\_fix] RBAC Unauthorized: pods is forbidden
Create a Role \(for namespace access\) or ClusterRole \(for cluster-wide access\) that lists the required \`apiGroups\`, \`resources\`, and \`verbs\`, then bind it to the ServiceAccount with a RoleBinding or ClusterRoleBinding. Use \`kubectl auth can-i --as=system:serviceaccount:: \` to verify the grant before running the workload.
Journey Context:
A Go operator running in an OpenShift 4.15 cluster \(Kubernetes 1.28\) started logging \`pods is forbidden: User "system:serviceaccount:operators:my-operator" cannot list resource "pods" in API group "" in the namespace "app"\`. The operator's Pod used \`serviceAccountName: my-operator\`, but that ServiceAccount had no permissions. We created a ClusterRole allowing \`get\`, \`list\`, and \`watch\` on \`pods\` and \`configmaps\`, and a ClusterRoleBinding binding it to \`system:serviceaccount:operators:my-operator\`. After applying, the operator could list pods. The Kubernetes RBAC authorizer denies everything by default for non-system ServiceAccounts, so explicit Role/ClusterRole plus binding is the only way to grant API access.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T04:54:59.246887+00:00— report_created — created