ServiceAccount
最后更新于
最后更新于
Think of service accounts as a way for the processes within your Pod to smoothly interact with the Kubernetes API and other external services. You see, they're distinct from user accounts:
User accounts are designed for humans. On the other hand, service accounts are custom-made for processes within a Pod that want to interact with the Kubernetes API.
User accounts transcend namespaces, while service accounts are restrained by their respective namespaces.
Each namespace automatically conjures a default service account.
The token controller keeps an eye out for any freshly spawned service accounts, creating a corresponding for each one.
With the ServiceAccount Admission Controller activated
Every newly created Pod is automatically assigned a spec.serviceAccountName set to default (unless another ServiceAccount is specified).
It double-checks if the service account [20] referenced by the Pod exists; if it doesn't, the creation process is denied.
If a Pod hasn't specified ImagePullSecrets, the service account's ImagePullSecrets are added to the Pod.
Each container brought to life will have a token and ‘ca.crt’ from its service account mounted on /var/run/secrets/kubernetes.io/serviceaccount/.
Heads up: Starting with v1.24.0, ServiceAccount won’t spawn Secrets automatically. If you’re keen on retaining this feature, configure your kube-controller-manager to
LegacyServiceAccountTokenNoAutoGeneration=false.
Pro Tip: Head to for an in-depth look at your token (like PAYLOAD, SIGNATURE, etc.).
The corresponding secret gets generated automatically:
Set up both --authorization-mode=RBAC and --runtime-config=rbac.authorization.k8s.io/v1alpha1
Enable --authorization-rbac-super-user=admin
Define your Role, ClusterRole, RoleBinding, or ClusterRoleBinding
Here's an example:
While service accounts smoothly enable service authentications, they remain apathetic towards authorization matters. To make them more useful, pair them with for granting Service Account access: