ServiceRoleBinding with service account

I have one cluster with 3 pods and 3 services (first, second and third).

my services are:
aks-helloworld-first cluster ip: ,
aks-helloworld-sec cluster ip: ,
aks-helloworld-third cluster ip:

the pods are:
aks-helloworld-first selector:app=helloworld-first
aks-helloworld-sec selector: app=helloworld-sec
aks-helloworld-third selector: app=helloworld-third

service account:
helloworld-s-1 1 23h
helloworld-s-2 1 23h
helloworld-s-3 1 23h

i created the following and i was able to access only “first” app as expected (third and sec were able to access first and all the other were denied):

apiVersion: “
kind: ServiceRole
name: service-viewer
namespace: default

  • services: [“aks-helloworld-first.*”]

apiVersion: “
kind: ServiceRoleBinding
name: bind-service-viewer
namespace: default

  • user: “*”
    kind: ServiceRole
    name: “service-viewer”

when i tried to write in “bind-service-viewer” specific user only (helloworld-s-3 which is service account related to third) - everything were denied again including the third. how can i solve it? to grant access to specific service account?

  • user: “helloworld-s-3”

Did you enable mTLS when using service account in the binding? The mTLS is required in this case.

Also suggest to post in the #security group for topics like this as you can usually get faster reply. Thanks!