This rule identifies Kubernetes service accounts that have encountered forbidden access failures on Google Cloud Platform (GCP). By analyzing Pub/Sub message logs, it captures events where the response status indicates a failure regarding service account permissions. The search extracts critical information such as the source IP, user agent, resource namespace, the cluster name, and the specific verb used in the request. It organizes the findings into a table and allows further analysis by employing operators like top or rare to observe trends in failure messages, user agents, or IP addresses. The rule is part of a broader initiative to track sensitive object access activities in Kubernetes environments and is particularly concerned with security vulnerabilities associated with improper authentication and authorization practices in managed GCP Kubernetes clusters.