diff --git a/cluster/kubernetes/kubernetes.go b/cluster/kubernetes/kubernetes.go
index eee280fd4..833990ba1 100644
--- a/cluster/kubernetes/kubernetes.go
+++ b/cluster/kubernetes/kubernetes.go
@@ -177,9 +177,18 @@ func (c *Cluster) AllControllers(namespace string) (res []cluster.Controller, er
 		for kind, resourceKind := range resourceKinds {
 			podControllers, err := resourceKind.getPodControllers(c, ns.Name)
 			if err != nil {
-				if se, ok := err.(*apierrors.StatusError); ok && se.ErrStatus.Reason == meta_v1.StatusReasonNotFound {
-					// Kind not supported by API server, skip
-					continue
+				if se, ok := err.(*apierrors.StatusError); ok {
+					switch (se.ErrStatus.Reason) {
+						case meta_v1.StatusReasonNotFound:
+							// Kind not supported by API server, skip
+							continue
+						case meta_v1.StatusReasonForbidden:
+							// K8s can return forbidden instead of not found for non super admins
+							c.logger.Log("warning", "not allowed to list resources", "err", err)
+							continue
+						default:
+							return nil, err
+					}
 				} else {
 					return nil, err
 				}
@@ -281,9 +290,18 @@ func (c *Cluster) Export() ([]byte, error) {
 		for _, resourceKind := range resourceKinds {
 			podControllers, err := resourceKind.getPodControllers(c, ns.Name)
 			if err != nil {
-				if se, ok := err.(*apierrors.StatusError); ok && se.ErrStatus.Reason == meta_v1.StatusReasonNotFound {
-					// Kind not supported by API server, skip
-					continue
+				if se, ok := err.(*apierrors.StatusError); ok {
+					switch (se.ErrStatus.Reason) {
+						case meta_v1.StatusReasonNotFound:
+							// Kind not supported by API server, skip
+							continue
+						case meta_v1.StatusReasonForbidden:
+							// K8s can return forbidden instead of not found for non super admins
+							c.logger.Log("warning", "not allowed to list resources", "err", err)
+							continue
+						default:
+							return nil, err
+					}
 				} else {
 					return nil, err
 				}