Hi folks, I have a rancher deployed RKE2 (1.32.5) cluster... I need to create a service account on this downstream cluster that can list all pods in all namespaces Below is what I have, but it does not seem to work when I check with:

kubectl auth can-i get pods --all-namespaces --as my-service-account

What am I missing?

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default  # You can specify any namespace you prefer
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
  name: get-pods-clusterrole
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list"]
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRoleBinding
metadata:
  name: get-pods-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: my-service-account
  namespace: default  # Use the same namespace where the service account was created
roleRef:
  kind: ClusterRole
  name: get-pods-clusterrole
  apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>

I have no idea... but...

oh! how did I miss that... thanks, let me give that a go