Kubernetes ServiceAccount 无法列出某些资源（K8s 1.24）

即使角色和角色绑定有足够的权限，我的服务帐户也无法列出某些资源。

我看到这个错误

2023-09-08T15:30:21.875Z    INFO    controller  k8s.io/[email protected]/tools/cache/reflector.go:169: 
failed to list *v1.Lease: leases.coordination.k8s.io is forbidden: User "system:serviceaccount:karpenter:karpenter" 
cannot list resource "leases" in API group "coordination.k8s.io" 
in the namespace "kube-node-lease"

当我检查服务帐户身份验证时，我看到以下错误。

➜  ~ kubectl auth  can-i get leases --as system:serviceaccount:karpenter:karpenter
error: You must be logged in to the server (the server has asked for the client to provide credentials (post selfsubjectaccessreviews.authorization.k8s.io))

角色/角色绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: karpenter-lease
  namespace: kube-node-lease
  labels:
    helm.sh/chart: karpenter-v0.30.0
    app.kubernetes.io/name: karpenter
    app.kubernetes.io/instance: karpenter
    app.kubernetes.io/version: "0.30.0"
    app.kubernetes.io/managed-by: Helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: karpenter-lease
subjects:
  - kind: ServiceAccount
    name: karpenter
    namespace: karpenter
---
# Source: karpenter/templates/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: karpenter-lease
  namespace: kube-node-lease
  labels:
    helm.sh/chart: karpenter-v0.30.0
    app.kubernetes.io/name: karpenter
    app.kubernetes.io/instance: karpenter
    app.kubernetes.io/version: "0.30.0"
    app.kubernetes.io/managed-by: Helm
rules:
  # Read
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "watch"]
  # Write
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["delete"]

AFAR，K8s 1.24 在服务帐户令牌中进行了一些重大更改，这就是为什么，我还为服务帐户创建了一个令牌，但它似乎不起作用。

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: karpenter
  annotations:
    kubernetes.io/service-account.name: karpenter
type: kubernetes.io/service-account-token
EOF

你们有遇到这样的问题吗？

感谢您的帮助。