Run this at the start of every heartbeat before using kubectl:
kubectl config set-credentials sa-token --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"Why: The kubeconfig at ~/.kube/config was set up with a token whose aud points to the external cluster IP (https://192.168.32.100:6443), but the cluster server in kubeconfig is https://kubernetes.default.svc (in-cluster endpoint). This audience mismatch causes Unauthorized errors. The service account token at /var/run/secrets/kubernetes.io/serviceaccount/token always works for the in-cluster endpoint.
How to apply: Add this one-liner as the first kubectl operation in any heartbeat. After running it, all subsequent kubectl commands work normally without needing --token flags.