K8S Service Account

Service Accounts are K8S ObjectK8S Object
To see a list of available [[Kubernetes]] objects on your cluster, you can run:


# all
kubectl api-resources

# only namespaced
kubectl api-resources --namespaced=true

# only cluster-scoped
kubec...
s used to help pods with K8S Authentication.

The ServiceAccount object is namespace-scoped. It's used to allow a process in a pod to access Kubernetes API Server. There exists a default service account object, but it has no permissions attached to it.

When a new Service Account is created, proper access should be given through K8S RBAC. The service account can then be used to obtain auth token and CA certificate to authenticate to K8S ApiserverK8S Apiserver
Kube Apiserver is the primary component of a [[Kubernetes]] cluster. It runs on a [[K8S Master Node]], and is the only component which is talking directly to the [[etcd cluster]]. It exposes a REST...
. This information is held inside a K8S SecretK8S Secret
Secrets are [[K8S Object]]s which are used to store sensitive information you can't otherwise put into a Pod spec or a [[K8S ConfigMap]].

Secrets are very similar to ConfigMaps, the biggest differ...
which is automatically created together with Service Account.

The secret is automatically mounted inside /var/run/secrets/kubernetes.io/serviceaccount/. This behavior can be disabled by setting automountServiceAccountToken to false.

The service account can be imperatively created with kubectl create serviceaccount myserviceaccount.


Status: #💡

References: