Skip to content
Latchkey

Kubernetes ServiceAccount Missing Permissions in CI

The ServiceAccount your pipeline authenticates as has no (or insufficient) RBAC grants. Often it is silently using the default ServiceAccount, which has almost no permissions.

What this error means

Every action by the pipeline’s identity is Forbidden, even basic ones. kubectl auth can-i --list for that ServiceAccount shows almost nothing granted.

kubectl output
$ kubectl auth can-i --list --as=system:serviceaccount:ci:default -n prod
Resources   Non-Resource URLs   Resource Names   Verbs
selfsubjectaccessreviews.authorization.k8s.io   []   []   [create]
# (essentially no app permissions → every deploy action is Forbidden)

Common causes

No RoleBinding for the ServiceAccount

A ServiceAccount with no Role/ClusterRole binding can do almost nothing. Creating the SA does not grant any permissions on its own.

Authenticating as the default ServiceAccount

If the kubeconfig token belongs to the namespace default SA (or none was specified), the pipeline runs with the near-empty default permissions.

How to fix it

Use a dedicated ServiceAccount with a binding

Create a purpose-built SA, grant it a least-privilege Role, and bind them.

Terminal
kubectl create serviceaccount deployer -n ci
kubectl create rolebinding deployer-prod -n prod \
  --clusterrole=edit --serviceaccount=ci:deployer

Confirm which identity CI actually uses

  1. Run kubectl auth whoami to see the authenticated identity.
  2. List effective permissions with kubectl auth can-i --list --as=<sa>.
  3. Point the kubeconfig at the dedicated SA token, not the default one.

How to prevent it

  • Never rely on the default ServiceAccount for CI actions.
  • Bind each pipeline SA to a least-privilege Role checked into git.
  • Audit effective permissions with kubectl auth can-i --list in CI.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →