Why the pods running with a service account with needed permissions cannot list pods?

Question

I have created a service account "serviceacc" in a namespace xyz and gave it needed permissions. Yet it could not list pods. Here are the steps I followed.

$kubectl create namespace xyz

$kubectl apply -f objects.yaml

Where content of objects.yaml

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: xyz
  name: listpodser
rules:
  - apiGroups: [""]
    resources: ["pod"]
    verbs: ["get", "list"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: xyz
  name: service-listpodser
subjects:
  - kind: ServiceAccount
    name: serviceacc 
    apiGroup: ""
roleRef:
  kind: Role
  name: listpodser
  apiGroup: ""

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: serviceacc
  namespace: xyz

Then I checked if the service account has permission to list pods:

$ kubectl auth can-i get pods --namespace  xyz --as system:serviceaccount:xyz:serviceacc
no

$ kubectl auth can-i list pods --namespace  xyz --as system:serviceaccount:xyz:serviceacc
no

As we can see from the output of above command, it cannot get/list pods.

Answer 1

Simple naming confusion. Use pods instead of pod in the resource list.

Answer 2

You can do it simpler and easier this way:

kubectl create sa serviceacc -n xyz
kubectl create role listpodser --verb=get,list --resource=po -n xyz
kubectl create -n xyz rolebinding service-listpodser --role=listpodser --serviceaccount=xyz:serviceacc

Note the short name for pods is accepted here po, you can use the short name for any api object

short names: If you need to list the short names for all objects, run this command kubectl apu-resources, the same way you can use the short name for other objects.e.g. pv instead of persistentvolume.

This way you can write these three lines into a shell script to create all in one shot