I am trying to run helm status --tiller-namespace=$NAMESPACE $RELEASE_NAME from a container inside that namespace.

I have a role with the rule

  - apiGroups:
      - ""
    resources:
      - pods
      - configmaps
    verbs:
      - get
      - watch

bound to the default service account. But I was getting the error

Error: pods is forbidden: User "system:serviceaccount:mynamespace:default" cannot list resource "pods" in API group "" in the namespace "mynamespace"

So I added the list verb like so

  - apiGroups:
      - ""
    resources:
      - pods
      - configmaps
    verbs:
      - get
      - watch
      - list

and now I have progressed to the error cannot create resource "pods/portforward" in API group "". I couldn't find anything in the k8s docs on how to assign different verbs to different resources in the same apiGroup but based on this example I assumed this should work:

  - apiGroups:
      - ""
    resources:
      - pods
      - configmaps
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - ""
    resources:
      - pods/portforward
    verbs:
      - create

however, now I get the error cannot get resource "configmaps" in API group "". Note I am running a kubectl get cm $CMNAME before I run the helm status command.

So it seems that I did have permission to do a kubectl get cm until I tried to add the permission to create a pods/portforward.

Can anyone explain this to me please?

also the cluster is running k8s version

Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.7+1.2.3.el7", GitCommit:"cfc2012a27408ac61c8883084204d10b31fe020c", GitTreeState:"archive", BuildDate:"2019-05-23T20:00:05Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

and helm version

Server: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}