Enable k8s pods from multiple namespaces to read vault secret through vault agent

Vault
,
1

I have a vault setup in k8s with k8s auth enabled to allow vault agent to read secrets and export them as an environment variables to a k8s pod using K8s service account. everything is working fine if I’m using a single k8s namespace.

I am not able to use a service account from A namespace and trying to use it in B namespace after attaching it via a rolebinding in namespace B

step 1 - I created a service account called vault-ro in default namespace and configured it in vault k8s auth role. everything works good for any k8s pod in default namespace. they are able to read secerts from vault.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-ro

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
   name: role-tokenreview-binding ##This Role!
   namespace: default
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vault-ro
  namespace: default

now, I want to enable namespace B to use same vault role and k8s service account to read secret from vault. so i created a rolebinding as follow in namespace B

role binding in Namespace B

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
   name: role-tokenreview-binding-dev
   namespace: B
roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: vault-ro
  namespace: default

expected behavior, I should be able to spin up a k8s pod with vault-ro service account user and it should able to read secret from vault same way as it does in default namespace but when i try that, i’m getting error as

Error from server (Forbidden): error when creating "test-app-nonprod.yaml": pods "test-app" is forbidden: error looking up service account B/vault-ro: serviceaccount "vault-ro" not found

why it’s not able to reference service account vault-ro from default namespace and still trying to find if it’s present in dev namespace? is it something to do with vault? I tried my best to find from everywhere, all documents saying above should work!

appreciate any help!