🔐 Pods Need Identity Too
Pods need to authenticate to Kubernetes API. Service Accounts give pods identity. RBAC controls permissions.
📝 Service Account
apiVersion: v1 kind: ServiceAccount metadata: name: myapp-sa namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods subjects: - kind: ServiceAccount name: myapp-sa namespace: default roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
🎯 Use Service Account in Pod
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
spec:
serviceAccountName: myapp-sa
containers:
- name: app
image: myapp:latest
# Inside pod, access token is mounted at:
/var/run/secrets/kubernetes.io/serviceaccount/token
# Use token to call Kubernetes API
curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kubernetes.default.svc/api/v1/namespaces/default/pods
💡 Best Practices
- Default service account has limited permissions
- Create custom service accounts per app
- Use roles and role bindings (least privilege)
- Use cluster roles for cluster-wide access
- Service account tokens rotate automatically
“Pod needed to list other pods. Default SA didn’t have permission. Created custom SA with role. Pod can now list pods. Service accounts are essential for API access.”
