Report #103431
[bug\_fix] Forbidden: RBAC prevents user/serviceaccount from performing an action
Create or update the Role/ClusterRole with the required verbs and resources, then bind it to the user or ServiceAccount with a RoleBinding \(for a namespace\) or ClusterRoleBinding \(for cluster-wide\). Confirm the subject name and namespace match exactly, and use \`kubectl auth can-i --as=system:serviceaccount::\` to verify before rerunning the workload.
Journey Context:
A pod, CI job, or \`kubectl\` user gets \`Error from server \(Forbidden\): is forbidden: User "..." cannot resource "..." in API group "..."\`. The error explicitly tells you who attempted what, but the fix is often missed because people start by granting cluster-admin. The correct path is RBAC: map the action to a Role or ClusterRole with the least-privilege rules, then bind it to the subject. For a pod, the subject is \`system:serviceaccount::\`. For a user, it is the username or group from the kubeconfig/certificate. Common pitfalls: creating the Role in the wrong namespace, binding to a ServiceAccount that exists in a different namespace, or missing the API group \(\`""\` for core, \`apps\` for deployments, \`rbac.authorization.k8s.io\` for roles\). After creating the RoleBinding, test with \`kubectl auth can-i create pods --as=system:serviceaccount:ci:deployer -n production\`. Once it returns yes, the Forbidden error goes away.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:23:18.065524+00:00— report_created — created