To test a service account, use the format system:serviceaccount:namespace:serviceaccountname (e.g., system:serviceaccount:default:developer). Use this with k can-i get namespaces --as=system:serviceaccount:default:developer. If you just specify the service account name in --as argument, it will test the permission with that specific user, which is not your intention. The aforementioned format is the user name that Kubernetes uses internally.