So does anyone know exactly what I need to put in my ServiceAccount yaml in order not to be denied access to my ServiceAccount when i try to list things via the REST API: curl https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/persistentvolumeclaims -X GET -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" User "system:serviceaccount:default:my-service-service-account" cannot list persistentvolumeclaims in the namespace "default".

My RBAC serviceAccount is setup as follows in the YAML:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ .Values.service.name }}-service-account
  labels:
    app: {{ .Values.service.name }}
automountServiceAccountToken: true
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: default
  name: {{ .Values.service.name }}-role
  labels:
    app: {{ .Values.service.name }}
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list","delete"]
- apiGroups: [""] # "" indicates the core API group
  resources: ["persistentvolumeclaims"]
  verbs: ["get", "watch", "list","delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: {{ .Values.service.name }}-role-binding
  labels:
    app: {{ .Values.service.name }}
subjects:
  - kind: ServiceAccount
    # Reference to upper's `metadata.name`
    name: {{ .Values.service.name }}-service-account
    # Reference to upper's `metadata.namespace`
    namespace: default
roleRef:
  kind: Role
  name: {{ .Values.service.name }}-role
  apiGroup: rbac.authorization.k8s.io