Report #101922
[bug\_fix] Forbidden by RBAC
Create or bind the correct Role/ClusterRole to the user or ServiceAccount \(e.g., \`kubectl create rolebinding\` or \`kubectl create clusterrolebinding\`\) granting the needed verbs on the required resources.
Journey Context:
A CI pipeline using a ServiceAccount fails with \`Error from server \(Forbidden\): pods is forbidden: User "system:serviceaccount:ci:builder" cannot list resource "pods" in API group "" in the namespace "prod"\`. You inspect the ServiceAccount, find it has no RoleBinding, create a Role allowing \`list,get\` on pods, and bind it in the prod namespace. For cluster-wide operators the error mentions \`clusterroles.rbac.authorization.k8s.io\`; you create a ClusterRoleBinding instead. The root cause is always that authentication succeeded but authorization did not.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-08T04:40:23.540091+00:00— report_created — created