What happened:

I created a serviceaccount, role and rolebinding to read secrets in a given namespace. I forgot to specify the namespace in the rolebinding, meaning the serviceaccount wasn't actually able to read the secrets. However, when I ran kubectl auth can-i get secrets -as <serviceaccount> -n <namespace> the answer came back as yes.

What you expected to happen:

I would have expected the answer to be no, which would then have told me the issue was somewhere in the role/rolebinding, as opposed to in the system using the serviceaccount.

How to reproduce it (as minimally and precisely as possible):

$ kubectl version
Client Version: v1.30.3
Server Version: v1.30.1

Create a serviceaccount:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: example-sa
  namespace: example

Create a role granting the necessary permissions:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: example
  name: secretreader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch" ]

Create a rolebinding, but forget to add metadata.namespace

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: secretreader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: secretreader
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: example-sa
  namespace: example

run the command:

$ kubectl auth can-i get secrets -as example-sa -n example
yes

Anything else we need to know?:

Environment:

• Kubernetes client and server versions (use kubectl version):
  -- Client Version: v1.30.3
  -- Server Version: v1.30.1
• Cloud provider or hardware configuration: VM on our self-managed OpenStack env
• OS: Talos (v1.7.4)