I'm trying to create a new ClusterRole in a Private Cluster which I'm administering from a Jumpbox but keep hitting the "forbidden: attempt to grant extra privileges" error.

I am authenticated with gcloud as the default compute service account and this has the Kubernetes Engine Admin role.

I have created a cluster role binding for the gcloud service account using

kubectl create ClusterRoleBinding sa-admin-binding --ClusterRole=cluster-admin --User=xxxxxxxx-service-account@xxxx.developer.gserviceaccount.com

When i try to create the cluster role however I get the following error.

Error from server (Forbidden): error when creating "role.yml": clusterroles.rbac.authorization.k8s.io "pod-viewer" is forbidden: attempt to grant extra privileges: [{[list] [] [pods] [] []}] user=&{115268482330004182284 [system:authenticated] map[user-assertion.cloud.google.com:[AKUJVpkbsn........

What I don't understand is why the error comes back with a 'numbered' user account as opposed to the service account I'm authenticated with.

I can add the ClusterRoleBinding to cluster-admin using my own gmail account, authenticate with my own account and then create the new role without problem, but adding the clusterrolebinding for a service account, and authenticating as that service account doesn't seem to grant the permission to create the role.

Interestingly I can add the clusterrolebinding using the numbered account in the error above and that also works but doesn't help me to script the setup as I don't know what that number is in advance nor where it's coming from.