Bird
Raised Fist0
Kubernetesdevops~5 mins

Service accounts in Kubernetes - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Service accounts in Kubernetes let applications inside the cluster talk to the Kubernetes API securely. They provide a way to give permissions to pods without using user credentials.
When a pod needs to access the Kubernetes API to read or modify resources.
When you want to control what a pod can do inside the cluster with specific permissions.
When running automated jobs or controllers that require API access.
When isolating permissions between different applications running in the same cluster.
When you want to avoid using user credentials inside containers for security reasons.
Config File - service-account.yaml
service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default

This file creates a service account named my-service-account in the default namespace. The metadata section sets the name and namespace. Kubernetes will create credentials for this account automatically.

Commands
This command creates the service account in the Kubernetes cluster using the configuration file.
Terminal
kubectl apply -f service-account.yaml
Expected OutputExpected
serviceaccount/my-service-account created
This command lists all service accounts in the current namespace to verify that the new one was created.
Terminal
kubectl get serviceaccounts
Expected OutputExpected
NAME SECRETS AGE default 1 10d my-service-account 1 1m
This command shows detailed information about the service account, including the secret token it uses to authenticate.
Terminal
kubectl describe serviceaccount my-service-account
Expected OutputExpected
Name: my-service-account Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: my-service-account-token-abcde Tokens: my-service-account-token-abcde Events: <none>
This command creates a pod named my-pod that uses the service account my-service-account to access the Kubernetes API securely.
Terminal
kubectl run my-pod --image=nginx --serviceaccount=my-service-account --restart=Never
Expected OutputExpected
pod/my-pod created
--serviceaccount - Assigns the specified service account to the pod
--restart - Sets pod restart policy; 'Never' means it won't restart automatically
This command lists all pods to confirm that the pod using the service account is running.
Terminal
kubectl get pods
Expected OutputExpected
NAME READY STATUS RESTARTS AGE my-pod 1/1 Running 0 10s
Key Concept

If you remember nothing else from this pattern, remember: service accounts let pods securely access the Kubernetes API with their own identity and permissions.

Common Mistakes
Not specifying the service account when creating a pod, so it uses the default account with limited permissions.
The pod may not have the permissions it needs to perform actions on the Kubernetes API.
Always specify the correct service account with --serviceaccount flag when creating pods that need API access.
Trying to create a service account with a name that already exists without deleting the old one.
Kubernetes will reject the creation because names must be unique in a namespace.
Delete the existing service account first or use a unique name.
Assuming the service account automatically grants permissions without creating Role or ClusterRole bindings.
Service accounts alone do not have permissions; you must bind roles to them.
Create RoleBindings or ClusterRoleBindings to assign permissions to the service account.
Summary
Create a service account using a YAML file and apply it with kubectl.
Verify the service account exists and inspect its details with kubectl get and describe commands.
Assign the service account to a pod to let it access the Kubernetes API securely.

Practice

(1/5)
1. What is the main purpose of a ServiceAccount in Kubernetes?
easy
A. To schedule pods on specific nodes
B. To give a pod an identity and control its permissions inside the cluster
C. To manage network policies between pods
D. To store container images for pods

Solution

  1. Step 1: Understand what identity means in Kubernetes

    A ServiceAccount provides an identity for pods so they can authenticate to the Kubernetes API.

  2. Step 2: Recognize the role of permissions

    ServiceAccounts are linked to permissions (via Roles or ClusterRoles) to control what pods can do.

  3. Final Answer:

    To give a pod an identity and control its permissions inside the cluster -> Option B

  4. Quick Check:

    ServiceAccount = Pod identity and permissions [OK]
Hint: ServiceAccount = pod identity + permissions [OK]
Common Mistakes:
  • Confusing ServiceAccount with image storage
  • Thinking ServiceAccount manages pod scheduling
  • Mixing ServiceAccount with network policies
2. Which of the following is the correct YAML snippet to create a ServiceAccount named my-service-account?
easy
A. apiVersion: apps/v1 kind: Deployment metadata: name: my-service-account
B. apiVersion: v1 kind: Pod metadata: name: my-service-account
C. apiVersion: v1 kind: ServiceAccount metadata: name: my-service-account
D. apiVersion: v1 kind: Namespace metadata: name: my-service-account

Solution

  1. Step 1: Identify the correct kind for ServiceAccount

    The kind must be ServiceAccount to create a service account resource.

  2. Step 2: Check the apiVersion and metadata

    ServiceAccount uses apiVersion: v1 and metadata with the name field.

  3. Final Answer:

    apiVersion: v1 kind: ServiceAccount metadata: name: my-service-account -> Option C

  4. Quick Check:

    ServiceAccount YAML uses kind: ServiceAccount [OK]
Hint: ServiceAccount YAML always uses kind: ServiceAccount [OK]
Common Mistakes:
  • Using wrong kind like Pod or Deployment
  • Wrong apiVersion for ServiceAccount
  • Confusing Namespace with ServiceAccount
3. Given this command: kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}', what does it output?
medium
A. The name of the first secret linked to the default ServiceAccount
B. The list of all pods using the default ServiceAccount
C. The token value inside the secret
D. An error because jsonpath is invalid

Solution

  1. Step 1: Understand the command structure

    The command fetches the ServiceAccount named 'default' and extracts the first secret's name using jsonpath.

  2. Step 2: Interpret the jsonpath expression

    The expression {.secrets[0].name} selects the name of the first secret linked to the ServiceAccount.

  3. Final Answer:

    The name of the first secret linked to the default ServiceAccount -> Option A

  4. Quick Check:

    jsonpath extracts secret name from ServiceAccount [OK]
Hint: jsonpath {.secrets[0].name} gets first secret name [OK]
Common Mistakes:
  • Thinking it lists pods instead of secrets
  • Expecting secret token value instead of secret name
  • Assuming jsonpath syntax is wrong
4. You created a ServiceAccount but your pod fails to use it. Which of these is the most likely cause?
medium
A. The ServiceAccount was created in a different namespace
B. The pod image is missing
C. The ServiceAccount has no secrets linked
D. The pod spec does not specify the ServiceAccount name

Solution

  1. Step 1: Check namespace consistency

    ServiceAccounts are namespace-scoped. If the pod is in one namespace but the ServiceAccount in another, the pod cannot use it.

  2. Step 2: Verify pod spec and ServiceAccount existence

    Even if the ServiceAccount exists in the same namespace, the pod must specify the ServiceAccount name in its spec to use it.

  3. Final Answer:

    The pod spec does not specify the ServiceAccount name -> Option D

  4. Quick Check:

    Pod spec must specify serviceAccountName to use it [OK]
Hint: Pod spec must specify serviceAccountName [OK]
Common Mistakes:
  • Forgetting to specify serviceAccountName in pod spec
  • Assuming missing secrets cause pod failure
  • Blaming pod image unrelated to ServiceAccount
5. You want a pod to use a custom ServiceAccount named app-sa and access the Kubernetes API with limited permissions. Which steps should you follow?
hard
A. Create the ServiceAccount app-sa, create a Role with permissions, bind the Role to app-sa, then specify serviceAccountName: app-sa in the pod spec
B. Create a RoleBinding for the default ServiceAccount, then deploy the pod without specifying serviceAccountName
C. Create a ClusterRole with full permissions and assign it to the pod directly
D. Deploy the pod first, then create the ServiceAccount and Role

Solution

  1. Step 1: Create the custom ServiceAccount

    Define and create app-sa in the pod's namespace to give the pod an identity.

  2. Step 2: Define permissions and bind them

    Create a Role with limited permissions and bind it to app-sa using a RoleBinding.

  3. Step 3: Specify the ServiceAccount in the pod spec

    Set serviceAccountName: app-sa in the pod spec so the pod uses this identity and permissions.

  4. Final Answer:

    Create the ServiceAccount app-sa, create a Role with permissions, bind the Role to app-sa, then specify serviceAccountName: app-sa in the pod spec -> Option A

  5. Quick Check:

    Custom ServiceAccount + Role + RoleBinding + pod spec = correct setup [OK]
Hint: Create SA, Role, RoleBinding, then assign SA to pod [OK]
Common Mistakes:
  • Assigning permissions to default ServiceAccount instead of custom
  • Creating ClusterRole with too many permissions
  • Deploying pod before creating ServiceAccount and Role