I am using Kubernetes 1.8.6 on Google Kubernetes Engine and have a pod running Alpine as part of a StatefulSet.

I have logged into my pod using kubectl exec -it my-pod-0 -- /bin/sh and then run the following commands at the prompt:

$ CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
$ TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
$ NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
$ curl --cacert $CA_CERT -H "Authorization: Bearer $TOKEN" "https://kubernetes
/api/v1/namespaces/$NAMESPACE/services/"

Unfortunately a 403 Forbidden error is returned:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services is forbidden: User \"system:serviceaccount:default:default\" cannot list services in the namespace \"default\": Unknown user \"system:serviceaccount:default:default\"",
  "reason": "Forbidden",
  "details": {
    "kind": "services"
  },
  "code": 403

What am I doing wrong?

You're not doing anything wrong. That pod's service account (specified in the pod's serviceAccountName) simply doesn't have any API permissions.

You can grant a view role to that service account like this:

kubectl create rolebinding default-viewer \
  --clusterrole=view \
  --serviceaccount=default:default \
  --namespace=default

See https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions for more details about granting permissions to service accounts.