kubectl client key authorization expired cert

gistfile1.txt

 ~/.kube  docker exec kind-control-plane cat /etc/kubernetes/pki/ca.key > ~/repos/octant/kind.ca.key
 ~/.kube  docker exec kind-control-plane cat /etc/kubernetes/pki/ca.crt > ~/repos/octant/kind.ca.crt

openssl genrsa -out readonly.key 2048

openssl req -new -key readonly.key -out readonly.csr -subj "/CN=readonly/O=octant"

openssl x509 -req -in readonly.csr -CA kind.ca.crt -CAkey kind.ca.key -CAcreateserial -out readonly.crt -days 500

 ✘  ~/podreader  cat 01-clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "get", "watch"]
- apiGroups: ["extensions", "apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["list", "watch", "get"]

 ~/podreader  cat 02-rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: 'default'
  name: pod-reader
subjects:
- kind: User
  name: readonly
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

k config set-credentials readonly --client-certificate=/home/wwitzel3/podreader/readonly.crt --client-key=/home/wwitzel3/podreader/readonly.key

k --user readonly get ns
Error from server (Forbidden): namespaces is forbidden: User "readonly" cannot list resource "namespaces" in API group "" at the cluster scope
 ✘  ~/podreader  k --user readonly get pod
No resources found.


 ~/podreader  faketime 'yesterday 12:40' openssl x509 -req -in readonly.csr -CA kind.ca.crt -CAkey kind.ca.key -CAcreateserial -out readonly.crt -days 1
Signature ok
subject=/CN=readonly/O=octant
Getting CA Private Key
 ~/podreader  k --user readonly get pod
error: You must be logged in to the server (Unauthorized)