For our database migrations we are usingKubernetes Jobs and init containers as discussed here.
However when we tried to deploy the job container, it failed with the following error:
Error from server (Forbidden): jobs.batch "example-migration" is forbidden: User "system:serviceaccount:example-ns:default" cannot get resource "jobs" in API group "batch" in the namespace "example-ns": Azure does not have opinion for this user.
To read and list jobs, the deployment is using the default service account in the “example-ns” namespace. This default service account does not have the necessary api rights in the kubernetes cluster.
To fix it we created a new service account, role and role binding:
After doing that, we had to update our deployment to use this service account: