This error can occur when the VM instance does not have the userinfo-email scope.
For example, suppose the VM has cloud-platform scope but does not have userinfo-email scope.
When the VM gets an access token, Google Cloud Platform associates that token with the cloud-platform scope. When the Kubernetes API server asks GCP for the identity associated with the access token, it receives the service account's unique ID, not the service account's email.
To authenticate successfully, either create a new VM with the userinfo-email scope or create a new role binding that uses the unique ID.
gcloud compute instances create [INSTANCE_NAME] \
--service-account [SERVICE_ACCOUNT_EMAIL] \
Identify the service account's unique ID:
gcloud iam service-accounts describe [SERVICE_ACCOUNT_EMAIL]
Create a role binding using the unique ID:
kubectl create clusterrolebinding [CLUSTERROLEBINDING_NAME] \ --clusterrole cluster-admin \ --user [UNIQUE_ID]
Hope this helps!