How to create a user in kubernetes cluster and assign read only permissions

root@ip-172-31-16-42:~# kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-2m258   kubernetes.io/service-account-token   3      48m
root@ip-172-31-16-42:~# kubectl create serviceaccount readonlyuser
serviceaccount/readonlyuser created
root@ip-172-31-16-42:~# kubectl create clusterrole readonlyuser --verb=get --verb=list --verb=watch --resource=pods
clusterrole.rbac.authorization.k8s.io/readonlyuser created

root@ip-172-31-16-42:~# kubectl create clusterrolebinding readonlyuser --serviceaccount=default:readonlyuser --clusterrole=readonlyuser
clusterrolebinding.rbac.authorization.k8s.io/readonlyuser created
root@ip-172-31-16-42:~# TOKEN=$(kubectl describe secrets "$(kubectl describe serviceaccount readonlyuser | grep -i Tokens | awk '{print $2}')" | grep token: | awk '{print $2}')

root@ip-172-31-16-42:~# kubectl config set-credentials vikash --token=$TOKEN

User "vikash" set.

root@ip-172-31-16-42:~# kubectl config set-context podreader --cluster=kubernetes --user=vikash

Context "podreader" created.

root@ip-172-31-16-42:~# kubectl config use-context podreader

Switched to context "podreader".

root@ip-172-31-16-42:~# kubectl auth can-i get pods --all-namespaces

yes

root@ip-172-31-16-42:~# kubectl auth can-i create pods

no

root@ip-172-31-16-42:~# kubectl get svc

Error from server (Forbidden): services is forbidden: User "system:serviceaccount:default:readonlyuser" cannot list resource "services" in API group "" in the namespace "default"

root@ip-172-31-16-42:~# kubectl auth can-i delete pods

no

root@ip-172-31-16-42:~# kubectl get nodes

Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:default:readonlyuser" cannot list resource "nodes" in API group "" at the cluster scope