Hi @diadoom,
I checked locally and the cluster role binding should be OK now. Before we explore a different route, could you try adding automountServiceAccountToken: true at the same level as serviceAccountName: heartbeat? I just want to make sure it's available on the pod.
If you have access through kubectl, you can also check that the secret is being mounted at the correct location:
$ kubectl -n elastic describe pod/heartbeat-75c8dbb864-r2zdz
...
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-9zknf (ro)
...
The token value should match the one that is listed in the service account secret:
$ kubectl -n elastic describe serviceaccounts/heartbeat
...
Tokens: heartbeat-token-bpd9k
...
$ kubectl -n elastic get secret/heartbeat-token-bpd9k -o json | jq .data.token
"ZXlK... // This should be the same as v
$ kubectl -n elastic exec <pod name> -- cat /var/run/secrets/kubernetes.io/serviceaccount/token | base64 --
ZXlK...