In a kubernetes cluster, we have a user accountsused by people - admin, developer, ... - ) and service accounts ( used by programs - Prometheus, Sensu, ... ).

For an application to query the API-Server, it needs to be authenticated through a service account.

We can create a service account "account_1" using the command:


To check the service accounts on our system, we use the below command:


A token is created along with our service account, and it is used to authenticate with the API-Server.

We could see the token using the below command:


The token is kept in a kubernetes "Secret" objects which is bound to the service account.

To check the token of our default service account for example, we use the "describe" command as below:


Then we check the "Secret" object "default-token-vdr6z" attached to the default service account:


We could connect to the API-server using the "curl" and the token by running the below command:


Usually, we create a service account, and give it permissions using the kubernetes RBAC.

If another application is running inside the cluster as a pod , we could mount the "Secret" as a volume on the pod running the application.
Each namespace hold its own default service account.

When we create a podthe "Secret" object related to the service account of the pod in mounted as a volume on the pod on the directory "/var/run/secrets/kubernetes.io/serviceaccount".

We could assign a service account "account_1" for example to a pod using the below Yaml file:


Brando Sabatini and Ikbal C ©. Powered by Blogger.