I followed the exact same config and added few more resource including pod and validated the same ::

kubectl auth can-i post pod -n namespace1 --as system:serviceaccount:default:sa

Response :: yes

But then I was not able to create Pod in the namespace namespace1 with the serviceaccount sa.

k get pod -n namespace1

No resources found.

And the error message :: forbidden: error looking up service account namespace1/sa: serviceaccount "sa" not found

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store