Skip to content

Kubernetes Service Account

A Service Account is a type of resource within Kubernetes used to provide an identity for processes that run in a Pod^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]. Unlike normal users, which are global and typically managed externally, a Service Account is scoped to a specific namespace^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md].

Pods use the Service Account to authenticate with the Kubernetes API Server^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md].

Default Behavior

Kubernetes automatically provisions a Service Account for every namespace^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]. When a new namespace is created, Kubernetes creates a Service Account named default within it^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md].

This default Service Account includes a token that Pods in the namespace can utilize for API Server authentication^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md].

Comparison with Normal Users

Understanding the distinction between normal users and Service Accounts is key to managing Kubernetes permissions:

  • Scope: Normal users are global, whereas Service Accounts are namespaced^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md].
  • Nature: Normal users are typically authenticated via external systems (e.g., kubectl config, certificates), whereas Service Accounts are Kubernetes resources bound to the application layer^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md].
  • Management: Service Accounts are created and managed via the Kubernetes API, while normal users are often managed via certificates or identity providers^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md].

Role in Authorization (RBAC)

In the context of [[RBAC]], Service Accounts act as Subjects that can be granted permissions^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md].

Administrators can create RoleBindings or ClusterRoleBindings to grant specific Service Accounts the necessary permissions to interact with cluster resources (such as listing Pods or creating Secrets)^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md].

Sources

^[400-devops-06-kubernetes-k8s-ithelp-day29-readme.md]