Kubernetes’ Service Accounts

Service Accounts are used by services as a way for them to authenticate when trying to interact with Kubernetes API.

A service account comes with a token that is linked to a Secret object. The secret has a type of kubernetes.io/service-account-token.

When we create a pod, we can mount a service account as a volume.

By default, when we create a pod, Kubernetes mounts the default service account as a volume. Each namespace has a default service account.

How do we create a service account?

kubectl create serviceaccount my-app-service-account

How do we view information of a service account?

aliilman$ k describe serviceaccount my-service-account
Name:                my-service-account
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   my-service-account-token-drs4p
Tokens:              my-service-account-token-drs4p
Events:              <none>

And here’s the service account’s secret.

aliilman$ k describe secret my-service-account-token-drs4p
Name:         my-service-account-token-drs4p
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: my-service-account
              kubernetes.io/service-account.uid: dd4f240f-d2c0-454f-9ced-e84406aa931b

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1066 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InV6MEU0bXA2RHkxX0lkcko2djJSM05mTnNSUGJ2Uk5WSExxeXFOTG1tZXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im15LXNlcnZpY2UtYWNjb3VudC10b2tlbi1kcnM0cCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJteS1zZXJ2aWNlLWFjY291bnQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkZDRmMjQwZi1kMmMwLTQ1NGYtOWNlZC1lODQ0MDZhYTkzMWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDpteS1zZXJ2aWNlLWFjY291bnQifQ.abEIvh1XOWFaiOyf-W80u4UQpcRF30O7qtdgRjOdTqxhX687fuWhh0lpj0EqFaiKFXwfXUdSLeUFsy99yf5yFtL0Pt45h9qvpVtaxwxwL4J0HwSbvL-fzVns2eK9wy1WZrQY2h0-2ofm5rFUUzK0YEsTxrXAfYnmFdNvR7dG9tT3mJHJ-7b0Q5rQEOTckrNf9IiH3HC2bH1Q6OYqlx7nxOfZ_bh5i5hM8XvPt4kXEDvI3x9iEPr_cU80F1ek8W25T-4XCBhAl0fvUktXx14xJag3_v0bZXCRZXPUDr8JvKt1IeuMPyEArZOh96HonNnlc7GzjyAF1fzSPt9pHWVE_w

How do we set a specific service account for a pod?

We set serviceAccountName to the name of our desired service account.

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  # other properties
  serviceAccountName:  my-service-account

How do we create a mount without mounting the default service account?

We set automountServiceAccountToken to false.

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  # other properties
  automountServiceAccountToken: false