Kubernetes - ServiceAccounts

When is ServiceAccount used? When a Pod contact the API server, the Pod authenticate as a particular ServiceAccount.

ServiceAccount in apiVersion: v1 (while Group and User are NOT in core but in apiGroup: rbac.authorization.k8s.io).

• each pod is assigned a ServiceAccount by default. A default secret token is mounted on every pod's file system.
• each pod gets a Secret volume automatically mounted.

Connections

• Pod => ServiceAccount: .spec.serviceAccountName
• Cronjob => ServiceAccount: .spec.jobTemplate.spec.template.spec.serviceAccountName
• Deployment => ServiceAccount: .spec.template.spec.serviceAccountName

Note: The .spec.serviceAccount field is a deprecated alias for .spec.serviceAccountName.

Default ServiceAccount

Every namespace has a default ServiceAccount. And every Pod created without specifying a ServiceAccount gets assigned the default ServiceAccount.

To use a non-default service account, set this of a pod: .spec.serviceAccountName. It can only be specified when creating a pod, it cannot be modified after the pod creation.

Service Account Token

Each ServiceAccount has a token. This token is generated when the ServiceAccount is created, and is stored as a Kubernetes Secret.

This token is used to authenticate the pod.

Create a token of for a service account

$ kubectl create token SERVICE_ACCOUNT_NAME

RoleBinding

• roleRef: to a Role.
• subjects: a list, may be a ServiceAccount, Group, User.