Kubernetes - ServiceAccounts

Last Updated: 2023-08-26

When is ServiceAccount used? When a Pod contact the API server, the Pod authenticate as a particular ServiceAccount.

ServiceAccount in apiVersion: v1 (while Group and User are NOT in core but in apiGroup: rbac.authorization.k8s.io).

  • each pod is assigned a ServiceAccount by default. A default secret token is mounted on every pod's file system.
  • each pod gets a Secret volume automatically mounted.


  • Pod => ServiceAccount: .spec.serviceAccountName
  • Cronjob => ServiceAccount: .spec.jobTemplate.spec.template.spec.serviceAccountName
  • Deployment => ServiceAccount: .spec.template.spec.serviceAccountName

Note: The .spec.serviceAccount field is a deprecated alias for .spec.serviceAccountName.

Default ServiceAccount

Every namespace has a default ServiceAccount. And every Pod created without specifying a ServiceAccount gets assigned the default ServiceAccount.

To use a non-default service account, set this of a pod: .spec.serviceAccountName. It can only be specified when creating a pod, it cannot be modified after the pod creation.

Service Account Token

Each ServiceAccount has a token. The token is stored as a Kubernetes Secret and can be read as a secret. This token is what you’ll use to authenticate your third-party app to the Kubernetes API Server.

Create a token of for a service account

$ kubectl create token SERVICE_ACCOUNT_NAME


  • roleRef: to a Role.
  • subjects: a list, may be a ServiceAccount, Group, User.