How to fix serviceaccount cannot list resource in Kubernetes

KubernetesINTERMEDIATEMEDIUM

This RBAC error occurs when a pod's ServiceAccount lacks permission to access Kubernetes resources. Fix it by creating a Role with required permissions and binding it to the ServiceAccount.

What this error means

The "serviceaccount cannot list resource" error indicates that a pod's ServiceAccount doesn't have RBAC permissions to perform the requested API operation. By default, ServiceAccounts in Kubernetes have no permissions—they can't list pods, read secrets, or access any cluster resources. When a pod runs, it uses a ServiceAccount (default: "default" in each namespace). If your application needs to interact with the Kubernetes API (list pods, watch deployments, create configmaps), you must explicitly grant those permissions through RBAC. This error commonly affects operators, controllers, monitoring tools, and any application that uses the Kubernetes client library to interact with the cluster.

How to fix "serviceaccount cannot list resource"

1Identify the ServiceAccount and test permissions

Check which ServiceAccount the pod uses:

bash

# Get ServiceAccount used by pod
kubectl describe pod <pod-name> | grep ServiceAccount

# Test current permissions
kubectl auth can-i list pods \
  --as=system:serviceaccount:<namespace>:<service-account-name> \
  -n <namespace>

Response "no" confirms the permission issue.

2Create a custom ServiceAccount

Create a dedicated ServiceAccount for your application:

bash

kubectl create serviceaccount my-app-sa -n my-namespace

# Verify creation
kubectl get serviceaccount my-app-sa -n my-namespace

Or with YAML:

yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-app-sa
  namespace: my-namespace

3Create a Role with required permissions

Define permissions needed by your application:

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: my-namespace
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list"]

Apply:

bash

kubectl apply -f role.yaml

4Create RoleBinding for ServiceAccount

Bind the role to the ServiceAccount:

yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader-binding
  namespace: my-namespace
subjects:
- kind: ServiceAccount
  name: my-app-sa
  namespace: my-namespace
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Apply and verify:

bash

kubectl apply -f rolebinding.yaml
kubectl get rolebinding -n my-namespace

5Update pod to use the ServiceAccount

Configure your deployment to use the ServiceAccount:

yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: my-namespace
spec:
  template:
    spec:
      serviceAccountName: my-app-sa  # Use custom SA
      containers:
      - name: app
        image: my-app:latest

Apply and verify:

bash

kubectl apply -f deployment.yaml
kubectl describe pod <new-pod-name> | grep ServiceAccount

6Verify permissions work

Test that the ServiceAccount now has access:

bash

# Test permissions
kubectl auth can-i list pods \
  --as=system:serviceaccount:my-namespace:my-app-sa \
  -n my-namespace

# Check pod logs for successful API calls
kubectl logs <pod-name>

# Test from inside the pod
kubectl exec -it <pod-name> -- \
  wget -qO- --header="Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  https://kubernetes.default.svc/api/v1/namespaces/my-namespace/pods

How to fix serviceaccount cannot list resource in Kubernetes

What this error means

Typical symptoms

Common causes

How to fix "serviceaccount cannot list resource"

Advanced notes

Related errors

Official resources & further reading