Report #102406
[bug\_fix] Unauthorized \(RBAC Forbidden\)
Create or update a Role/ClusterRole, RoleBinding/ClusterRoleBinding, or ServiceAccount so the pod's identity has the required verbs on the requested resources. Bind the role to the pod's service account in the same namespace. For kubeconfig users, refresh credentials with \`aws eks get-token\`, \`gcloud container clusters get-credentials\`, or renew the client certificate.
Journey Context:
A CI pipeline pod running \`kubectl apply\` failed with 'Error from server \(Forbidden\): deployments.apps is forbidden: User "system:serviceaccount:ci:deployer" cannot create resource "deployments" in API group "apps" in the namespace "prod"'. The pod was using the default service account, which had no permissions. Creating a Role with verbs create, update, patch, get, list on deployments and a RoleBinding connecting the ci-deployer service account to that role fixed it. In a separate incident, a developer's local kubectl commands returned 'Unauthorized' after their cloud IAM session expired; regenerating the kubeconfig with the cloud provider CLI restored access. The key diagnostic step is \`kubectl auth can-i --as=system:serviceaccount::\` to test the effective permissions.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T04:49:05.172278+00:00— report_created — created