Kubernetes ServiceAccount Missing Permissions in CI
The ServiceAccount your pipeline authenticates as has no (or insufficient) RBAC grants. Often it is silently using the default ServiceAccount, which has almost no permissions.
What this error means
Every action by the pipeline’s identity is Forbidden, even basic ones. kubectl auth can-i --list for that ServiceAccount shows almost nothing granted.
$ kubectl auth can-i --list --as=system:serviceaccount:ci:default -n prod
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
# (essentially no app permissions → every deploy action is Forbidden)Common causes
No RoleBinding for the ServiceAccount
A ServiceAccount with no Role/ClusterRole binding can do almost nothing. Creating the SA does not grant any permissions on its own.
Authenticating as the default ServiceAccount
If the kubeconfig token belongs to the namespace default SA (or none was specified), the pipeline runs with the near-empty default permissions.
How to fix it
Use a dedicated ServiceAccount with a binding
Create a purpose-built SA, grant it a least-privilege Role, and bind them.
kubectl create serviceaccount deployer -n ci
kubectl create rolebinding deployer-prod -n prod \
--clusterrole=edit --serviceaccount=ci:deployerConfirm which identity CI actually uses
- Run
kubectl auth whoamito see the authenticated identity. - List effective permissions with
kubectl auth can-i --list --as=<sa>. - Point the kubeconfig at the dedicated SA token, not the default one.
How to prevent it
- Never rely on the
defaultServiceAccount for CI actions. - Bind each pipeline SA to a least-privilege Role checked into git.
- Audit effective permissions with
kubectl auth can-i --listin CI.