Kubernetes理解-kubectl-auth-can-i的输出

我试图理解为什么在一个集群上允许操作，但在另一个集群中我得到了以下

Exception encountered setting up namespace watch from Kubernetes API v1 endpoint https://10.100.0.1:443/api: namespaces is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "namespaces" in API group "" at the cluster scope ({"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"namespaces is forbidden: User \"system:serviceaccount:kube-system:default\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"namespaces"},"code":403}n)"

我正在管理两个Kubernetes集群-

clusterA用Kops版本v1.14.8启动

clusterB在AWS EKS版本v1.14.9-eks-f459c0上启动

因此，我尝试使用kubectl auth命令来尝试弄清楚，我确实看到在一个命令上我被允许，但在第二个命令上，我不被允许，正如你所看到的：

kubectl config use-context clusterA
Switched to context "clusterA".
kubectl auth can-i list pods --as=system:serviceaccount:kube-system:default -n kube-system
yes
kubectl config use-context clusterB
Switched to context "clusterB".
kubectl auth can-i list pods --as=system:serviceaccount:kube-system:default -n kube-system
no

有没有办法理解这两个基于yes/no的决策是什么？谢谢你的帮助！