Kubernetes - ServiceAccounts
When is ServiceAccount used? When a Pod contact the API server, the Pod authenticate as a particular ServiceAccount.
ServiceAccount in apiVersion: v1 (while Group and User are NOT in core but in apiGroup: rbac.authorization.k8s.io).
- each pod is assigned a
ServiceAccountby default. A default secret token is mounted on every pod's file system. - each pod gets a
Secretvolume automatically mounted.
Connections
Pod=>ServiceAccount:.spec.serviceAccountNameCronjob=>ServiceAccount:.spec.jobTemplate.spec.template.spec.serviceAccountNameDeployment=>ServiceAccount:.spec.template.spec.serviceAccountName
Note: The .spec.serviceAccount field is a deprecated alias for .spec.serviceAccountName.
Default ServiceAccount
Every namespace has a default ServiceAccount. And every Pod created without specifying a ServiceAccount gets assigned the default ServiceAccount.
To use a non-default service account, set this of a pod: .spec.serviceAccountName. It can only be specified when creating a pod, it cannot be modified after the pod creation.
Service Account Token
Each ServiceAccount has a token. The token is stored as a Kubernetes Secret and can be read as a secret. This token is what you’ll use to authenticate your third-party app to the Kubernetes API Server.
Create a token of for a service account
$ kubectl create token SERVICE_ACCOUNT_NAME
RoleBinding
roleRef: to aRole.subjects: a list, may be aServiceAccount,Group,User.