Schedule a kubernetes cronjob to restart jupyterhub

Move of a kube question than jupyter to be honest…

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: jhub-restarter
rules:
- apiGroups:
  - extensions
  - apps
  resources:
  - deployments
  verbs:
  - 'patch'
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jhub-restarter
  namespace: dev
subjects:
- kind: ServiceAccount
  name: sa-jhub-restarter
  namespace: jp-test
roleRef:
  kind: Role
  name: jhub-restarter
  apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa-jhub-restarter
  namespace: dev
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: devhubrestarter
  namespace: dev
spec:
  schedule: "0 3 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: sa-jhub-restarter
          containers:
          - name: restarter
            image: bitnami/kubectl:latest
            command:
            - /bin/sh
            - -c
            - kubectl rollout restart deployment -n dev hub
          restartPolicy: OnFailure

Everything seems to create correctly from what I can tell, and the cronjob runs/creates the pod.

But the pod logs give an error:

└> kubectl logs -n dev <podname>
Error from server (Forbidden): deployments.apps "hub" is forbidden: User "system:serviceaccount:dev:sa-jhub-restarter" cannot get resource "deployments" in API group "apps" in the namespace "dev"

But I do have the rules.resources.deployments in the first Role block. Any thoughts on what I’m missing?

I found this stackoverflow, which recommends adding some apiGroups/resources/verbs, but sadly that still ended in the same error; just wanted to log.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: dev
  name: jhub-restarter
rules:
- apiGroups:
  - extensions
  - apps
  resources:
  - deployments
  - replicasets
  - pods
  verbs:
  - 'get'
  - 'patch'