with RBAC enabled, the apiserver metricset throws errormessage indicating the user does not have permission. Adding the clusterroles as indicated here https://kubernetes.io/docs/concepts/cluster-administration/monitoring/ fixes the error.
The template for clusterroles in metricbeat (https://github.com/elastic/beats/blob/master/deploy/kubernetes/metricbeat/metricbeat-role.yaml) should be appended with this rule:
rules:
- nonResourceURLs:
- "/metrics"
verbs:
- get