In a kubernetes cluster, we have a user accounts ( used by people - admin, developer, ... - ) and service accounts ( used by programs - Prometheus, Sensu, ... ).
For an application to query the API-Server, it needs to be authenticated through a service account.
We can create a service account "account_1" using the command:
To check the service accounts on our system, we use the below command:
A token is created along with our service account, and it is used to authenticate with the API-Server.
We could see the token using the below command:
The token is kept in a kubernetes "Secret" objects which is bound to the service account.
To check the token of our default service account for example, we use the "describe" command as below:
We could connect to the API-server using the "curl" and the token by running the below command:
Usually, we create a service account, and give it permissions using the kubernetes RBAC.
If another application is running inside the cluster as a pod , we could mount the "Secret" as a volume on the pod running the application.
Each namespace hold its own default service account.
When we create a pod, the "Secret" object related to the service account of the pod in mounted as a volume on the pod on the directory "/var/run/secrets/kubernetes.io/serviceaccount".
We could assign a service account "account_1" for example to a pod using the below Yaml file: