Kubernetes: Service Account

ServiceAccount is used for the pods to access API server, among other things.

Every namespace has at least one ServiceAccount called default.

To create a ServiceAccount:

kubectl create serviceaccount <name>
kubectl create sa <name>

We will create ServiceAccount called Foo and attach this SA to a Pod:

kubectl create sa foo
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
  serviceAccountName: foo

Token is used to access Kubernetes API server.

To generate token for that SA:

kubectl create token <service-account-name>
kubectl create token <service-account-name> --namespace some-namespace
kubectl create token <service-account-name> --duration 10m

References: