I'm trying to scale up & down deployments from within a pod.
To do that, I've created a service account, clusterrolebinding with the following rbac:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: backups-scripts
  name: backups-roles
rules:
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - get
      - list
      - delete
      - watch
  - apiGroups: ["apps","extensions"]
    resources:
      - deployments
      - replicasets
      - statefulsets
    verbs:
      - get
      - list
      - patch
      - update
      - watch
      - scale

When testing with auth can-i kube say everything is ok:

$ kubectl auth can-i delete deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
no - no RBAC policy matched
$ kubectl auth can-i list deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i scale deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i update deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i patch deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes

But now when within the pod the kubectl command is executed I get the following error:

$ kubectl scale --replicas="$replicas" deployment -n "vm-catalogue" "mysql"
 Error from server (Forbidden): deployments.extensions "mysql" is forbidden: User "system:serviceaccount:backups-scripts:backups-sa" cannot get resource "deployments/scale" in API group "extensions" in the namespace "vm-catalogue"

I known the "list" and "get" verbs works because I'm extracting those information within the script (and that part works).

So.. I don't get it, what did I missed?