K8s rbac - 服务帐户缺少功能

我正在玩弄一点，我想知道为什么我的服务帐户“klubectl auth can-i”输出不会受到给定角色的影响。 重现步骤，从基本的环境开始：

kind 创建集群 --config kind-example-config.yaml

而 yaml 是：

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
# patch the generated kubeadm config with some extra settings
kubeadmConfigPatches:
- |
  apiVersion: kubelet.config.k8s.io/v1beta1
  kind: KubeletConfiguration
  evictionHard:
    nodefs.available: "0%"
# patch it further using a JSON 6902 patch
kubeadmConfigPatchesJSON6902:
- group: kubeadm.k8s.io
  version: v1beta3
  kind: ClusterConfiguration
  patch: |
    - op: add
      path: /apiServer/certSANs/-
      value: my-hostname
# 1 control plane node and 3 workers
nodes:
# the control plane node config
- role: control-plane
# the three workers
- role: worker
- role: worker
- role: worker

然后创建测试命名空间：

kubectl 创建 ns 测试命名空间

...然后切换到ns：

kubectl config set-context --current --namespace=test-namespace

创建一个 sa：

kubectl 创建购物 API

创建角色（我将直接放置yaml）：

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: test-namespace
  name: shopping-api
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

最后是角色绑定：

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: shopping-api
  namespace: test-namespace
subjects:
- kind: ServiceAccount
  name: shopping-api
roleRef:
  kind: Role
  name: shopping-api
  apiGroup: rbac.authorization.k8s.io

现在...如果在这种情况下我尝试：

kubectl auth can-i --list --as=shopping-api --namespace=test-namespace

与创建时相同：

Resources                                       Non-Resource URLs   Resource Names   Verbs
selfsubjectreviews.authentication.k8s.io        []                  []               [create]
selfsubjectaccessreviews.authorization.k8s.io   []                  []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                  []               [create]
                                                [/api/*]            []               [get]
                                                [/api]              []               [get]
                                                [/apis/*]           []               [get]
                                                [/apis]             []               [get]
                                                [/healthz]          []               [get]
                                                [/healthz]          []               [get]
                                                [/livez]            []               [get]
                                                [/livez]            []               [get]
                                                [/openapi/*]        []               [get]
                                                [/openapi]          []               [get]
                                                [/readyz]           []               [get]
                                                [/readyz]           []               [get]
                                                [/version/]         []               [get]
                                                [/version/]         []               [get]
                                                [/version]          []               [get]
                                                [/version]          []               [get]

如果我检查是否可以列出 pod，这就是结果：

E:\Development\k8s.lab>kubectl auth can-i list pod --as=shopping-api
no

我遗漏了一些东西，请为我指出正确的方向以了解发生了什么，因为在 pods apigroup 中我已经明确表示“列表”对于这个角色来说是完全合法的。