kubernetes: kubedns can not start with “Failed to list *v1.Endpoints: Unauthorized” and “Failed to list *v1.Service: Unauthorized”

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug /kind feature

What happened: The problem described in Stack Overflow here. What you expected to happen: I read the issue #50799 and I create the correct service account and kubeconfig file. And I try to add a new test containers in the kube-dns deployment to test the service account token. I can use kube-dns service account list and watch endpoints and service like this: [root@master ~]# kubectl auth can-i list endpoints --as system:serviceaccount:kube-system:kube-dns yes [root@kube-dns-7ffcffb7b6-bg62g /]# curl -X GET --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/servic eaccount/token)" https://177.1.1.40/api/v1/endpoints { "kind": "EndpointsList", "apiVersion": "v1", "metadata": { "selfLink": "/api/v1/endpoints", "resourceVersion": "13505189" }, "items": [ { "metadata": { "name": "java-srv", "namespace": "default", "selfLink": "/api/v1/namespaces/default/endpoints/java-srv", "uid": "94b1f6cf-867f-11e8-9bdb-525400c4f6bf", "resourceVersion": "9669151", "creationTimestamp": "2018-07-13T09:31:54Z", "labels": { "java": "war" } } }, is there something wrong?