Comment 6 for bug 2007575

Further on this issue - there are other problems encountered as reported by @Barteus and team

barteus@barteus-xps:~$ /snap/juju/current/bin/juju add-k8s --cloud google hackaton-cluster1
ERROR making juju admin credentials in cluster: ensuring service account "juju-credential-64f26484" in namespace "kube-system": serviceaccounts is forbidden: User "<email address hidden>" cannot create resource "serviceaccounts" in API group "" in the namespace "kube-system": GKE Warden authz [denied by managed-namespaces-limitation]: the namespace "kube-system" is managed and the request's verb "create" is denied
barteus@barteus-xps:~$ kubectl get service account -A
error: a resource cannot be retrieved by name across all namespaces
barteus@barteus-xps:~$ kubectl get serviceaccount -A
NAMESPACE NAME SECRETS AGE
default default 0 43h
gke-gmp-system collector 0 43h
gke-gmp-system default 0 43h
gke-gmp-system operator 0 43h
gke-managed-filestorecsi default 0 43h
gmp-public default 0 43h
kube-node-lease default 0 43h
kube-public default 0 43h
kube-system antrea-agent 0 43h
kube-system antrea-controller 0 43h
kube-system antrea-cpha 0 43h
kube-system attachdetach-controller 0 43h
kube-system certificate-controller 0 43h
kube-system cilium-win 0 43h
kube-system cloud-provider 0 43h
kube-system clouddns 0 43h
kube-system clusterrole-aggregation-controller 0 43h
kube-system cronjob-controller 0 43h
kube-system daemon-set-controller 0 43h
kube-system default 0 43h
kube-system deployment-controller 0 43h
kube-system disruption-controller 0 43h
kube-system egress-nat-controller 0 43h
kube-system endpoint-controller 0 43h
kube-system endpointslice-controller 0 43h
kube-system endpointslicemirroring-controller 0 43h
kube-system ephemeral-volume-controller 0 43h
kube-system event-exporter-sa 0 43h
kube-system expand-controller 0 43h
kube-system filestorecsi-node-sa 0 43h
kube-system fluentbit-gke 0 43h
kube-system gcsfusecsi-node-sa 0 43h
kube-system generic-garbage-collector 0 43h
kube-system gke-metadata-server 0 43h
kube-system gke-metrics-agent 0 43h
kube-system ip-masq-agent 0 43h
kube-system job-controller 0 43h
kube-system konnectivity-agent 0 43h
kube-system konnectivity-agent-cpha 0 43h
kube-system kube-dns 0 43h
kube-system kube-dns-autoscaler 0 43h
kube-system kube-proxy 0 43h
kube-system metadata-proxy 0 43h
kube-system metrics-server 0 43h
kube-system namespace-controller 0 43h
kube-system netd 0 43h
kube-system node-controller 0 43h
kube-system node-local-dns 0 43h
kube-system pdcsi-node-sa 0 43h
kube-system persistent-volume-binder 0 43h
kube-system pkgextract-cleanup-service 0 43h
kube-system pkgextract-service 0 43h
kube-system pod-garbage-collector 0 43h
kube-system pv-protection-controller 0 43h
kube-system pvc-protection-controller 0 43h
kube-system replicaset-controller 0 43h
kube-system replication-controller 0 43h
kube-system resourcequota-controller 0 43h
kube-system root-ca-cert-publisher 0 43h
kube-system service-account-controller 0 43h
kube-system service-controller 0 43h
kube-system statefulset-controller 0 43h
kube-system ttl-after-finished-controller 0 43h
kube-system ttl-controller 0 43h

The GKE cluster will deny serviceaccount creation on the kube-system namespace. It appears that GKE implements some validation over requests sent to the K8S API, controlling/denying modifications and creation to resources in kube-system. https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview