Pulsar 3.2.3 incorrect permissions in Kubernetes, cannot deploy connectors

[conor-nsurely]

Describe the bug
After upgrading from Pulsar 3.0.1 to Pulsar 3.2.3, we were unable to deploy new sinks to Kubernetes, primarily we use the jdbc-postgres, but all sinks were affected.

We are using the Pulsar Functions worker, so sinks/sources appear as standalone pods when created.

Error

org.apache.pulsar.functions.utils.Actions - Error completing action [ Submitting service for function testorggroup010/testorg010/r26o7cl1ss8lf4gx ] :- {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"services is forbidden: User \"system:serviceaccount:default:pulsar-broker-acct\" cannot create resource \"services\" in API group \"\" in the namespace \"example-namespace\"","reason":"Forbidden","details":{"kind":"services"},"code":403}
 - [ATTEMPT] 5/5

Fix
I created and applied a clusterrole with the same permission as the existing role to pulsar-broker-acct service account

To Reproduce
Steps to reproduce the behavior:

1. Enable Functions worker in Pulsar 3.2.3
2. Create a sink in a namespace that is not default
3. Sink will fail to create due to insufficient permissions

Expected behavior
Sink should create without having to manually alter broker permissions