Kubernetes Service Account
ServiceAccounts provide identity for in-cluster processes that need to interact with the Kubernetes API server. Every Pod runs as a ServiceAccount; by default this is the default ServiceAccount in its Namespace, which carries minimal permissions. Understanding ServiceAccount creation, token lifecycle, and RBAC binding is essential for the CKA exam and production security. Source: CKA Day 25
What Is a ServiceAccount?
A ServiceAccount is a namespace-scoped Kubernetes object (v1/ServiceAccount) that represents an identity for workloads running inside Pods. While human operators authenticate via client certificates or OIDC tokens stored in kubeconfig, in-cluster applications authenticate via ServiceAccount tokens mounted into their Pods.
Key characteristics:
- Namespace-scoped: A ServiceAccount only exists within one Namespace
- Auto-mounted tokens: Kubernetes projects a token volume into every Pod at
/var/run/secrets/kubernetes.io/serviceaccount/ - RBAC-bound: A ServiceAccount has no API permissions until a Role or ClusterRole is bound to it via a RoleBinding or ClusterRoleBinding
- Non-human identity: Designed for automation, controllers, CI/CD runners, and application SDK clients
The Default ServiceAccount
Every Namespace automatically contains a ServiceAccount named default. If a Pod spec omits serviceAccountName, Kubernetes assigns default.
Security Warning: The
defaultServiceAccount typically has no permissions beyond cluster defaults. Relying on it for application API access without explicit RBAC grants results inForbiddenerrors. For production, always create dedicated ServiceAccounts with least-privilege Roles. Source: CKA Day 25
Creating and Using ServiceAccounts
Imperative Creation
kubectl create serviceaccount my-sa --namespace devDeclarative (YAML)
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-sa
namespace: devAssigning to a Pod
apiVersion: v1
kind: Pod
metadata:
name: api-client
namespace: dev
spec:
serviceAccountName: my-sa # Overrides the default ServiceAccount
containers:
- name: app
image: myapp:v1Exam Trap:
serviceAccountNameis set at the Pod spec level, not inside the container definition. It affects all containers in the Pod.
ServiceAccount Tokens
Token Lifecycle
When you create a ServiceAccount, Kubernetes does not automatically create a token Secret in modern clusters (1.24+). Instead, tokens are typically obtained via:
- Projected volume tokens (default for Pods) — short-lived, automatically rotated by the kubelet
- Manual Secret creation — create a Secret of type
kubernetes.io/service-account-tokenand annotate it with the ServiceAccount name kubectl create tokencommand — generates a short-lived token for external use
Manual Token Secret (for CI/CD or external clients)
apiVersion: v1
kind: Secret
metadata:
name: my-sa-token
annotations:
kubernetes.io/service-account.name: my-sa
type: kubernetes.io/service-account-tokenThis Secret will be populated with:
token— JWT bearer tokenca.crt— Cluster CA certificatenamespace— The ServiceAccount’s namespace
Token Mounting in Pods
Every Pod with a ServiceAccount receives a projected volume mount at:
/var/run/secrets/kubernetes.io/serviceaccount/
| File | Purpose |
|---|---|
token | JWT bearer token for API authentication |
ca.crt | CA bundle to verify the API server’s TLS certificate |
namespace | The Namespace name, for constructing API paths |
Inside the container, applications read these files to call the API server:
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -k -H "Authorization: Bearer $TOKEN" \
https://kubernetes.default.svc.cluster.local/api/v1/namespaces/default/podsBest Practice: Never copy token files out of Pods or commit them to source control. For external automation, use
kubectl create tokenor projected volume tokens with short expiry. Source: CKA Day 25
RBAC Binding for ServiceAccounts
A ServiceAccount is useless without permissions. The standard workflow:
- Create the ServiceAccount
- Create a Role (or ClusterRole) defining allowed resources and verbs
- Create a RoleBinding (or ClusterRoleBinding) attaching the Role to the ServiceAccount
Example: Grant Pod Read Access
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: dev
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader-binding
namespace: dev
subjects:
- kind: ServiceAccount
name: my-sa
namespace: dev # Required even if same namespace
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.ioCritical: The
subjectsblock must explicitly specify the ServiceAccount’snamespace. The API server will reject bindings that omit this field. Source: CKA Day 25
Testing ServiceAccount Permissions
Use kubectl auth can-i with --as to impersonate a ServiceAccount:
# Full impersonation format
kubectl auth can-i get pods \
--as system:serviceaccount:dev:my-sa \
--namespace dev
# List all permissions for the ServiceAccount
kubectl auth can-i --list \
--as system:serviceaccount:dev:my-sa \
--namespace devThis is the fastest way to debug RBAC without deploying a Pod.
ImagePullSecrets
ServiceAccounts can store references to docker-registry Secrets, eliminating the need to repeat imagePullSecrets in every Pod spec:
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-sa
imagePullSecrets:
- name: regcredAny Pod using my-sa automatically inherits the regcred Secret, enabling private registry image pulls. This is especially useful when teams share a single private registry and want to centralize credential management. Source: CKA Day 25
ServiceAccount vs. User
| Aspect | User | ServiceAccount |
|---|---|---|
| Represents | Human operators, admins | In-cluster workloads, automation |
| Authentication | Client certificates, OIDC, basic auth | Bearer token mounted in Pod |
| Scope | Can be cluster-wide or namespace | Always namespace-scoped |
| Storage | External (kubeconfig, identity provider) | Kubernetes object + token Secret |
| Typical Use | kubectl from a developer laptop | Controller, operator, CI/CD pipeline |
| RBAC Subject | kind: User | kind: ServiceAccount |
Security Best Practices
| Practice | Rationale |
|---|---|
| Create dedicated ServiceAccounts | Avoid using default for application workloads; it makes permission auditing harder |
| Apply least privilege | Grant only the verbs and resources the workload actually needs |
| Use short-lived tokens | Prefer projected volume tokens over long-lived static Secrets |
| Rotate tokens regularly | Delete and recreate token Secrets; restart Pods to pick up new mounts |
| Restrict Secret access | Do not grant broad get/list on Secrets; attackers can extract ServiceAccount tokens |
| Disable auto-mount if unused | Set automountServiceAccountToken: false on Pods that do not need API access |
CKA Exam Patterns
- Create ServiceAccount + Role + RoleBinding: Common 3-step task. Use imperative commands for speed:
kubectl create sa my-sa kubectl create role pod-reader --verb=get,list --resource=pods kubectl create rolebinding rb --role=pod-reader --serviceaccount=default:my-sa - Impersonate with
--as: Test without running inside a Podkubectl auth can-i create deployments --as system:serviceaccount:dev:my-sa -n dev - Token mount path: Know
/var/run/secrets/kubernetes.io/serviceaccount/and the three files inside - ServiceAccount namespace trap: RoleBinding subjects must include
namespacefor ServiceAccounts
Related Pages
- Kubernetes RBAC — Deep-dive into Roles, ClusterRoles, Bindings, and rule anatomy
- Kubernetes Authentication & Authorization — The two-gate security model and auth methods
- Kubernetes Kubeconfig — Client-side credentials; ServiceAccount tokens can be embedded as
user.token - Kubernetes ConfigMaps and Secrets —
kubernetes.io/service-account-tokenandkubernetes.io/dockerconfigjsonSecret types - Pod Fundamentals —
serviceAccountNamefield and token volume mounting - Kubernetes Namespaces — Default ServiceAccounts and namespace-scoped identity boundaries
- Kubernetes Architecture — kube-controller-manager’s Service Account & Token controller
- TLS Fundamentals — Certificate anatomy and the CA trust chain used by mounted
ca.crt
Tags: kubernetes serviceaccount rbac security authentication cka devops token imagepullsecrets