Kubernetes RBAC permissions for kubectl top pods

Recently at work, I was trying to figure out the exact RBAC permissions required to let a user run kubectl top pods.

I assumed standard pod read permissions would be enough. I am not an expert on Kubernetes RBAC, but it turns out that granting permissions for ["get", "list", "watch"] on pods under apiGroups: [""] is not enough.

To actually get the metrics, you need to explicitly grant access to the metrics API. We need to give the permission for apiGroups: ["", "metrics.k8s.io"] as well. I hope this helps someone else avoid the same confusion.