Kubernetesdevops~5 mins

Service accounts in Kubernetes - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Service accounts in Kubernetes let applications inside the cluster talk to the Kubernetes API securely. They provide a way to give permissions to pods without using user credentials.

When a pod needs to access the Kubernetes API to read or modify resources.

When you want to control what a pod can do inside the cluster with specific permissions.

When running automated jobs or controllers that require API access.

When isolating permissions between different applications running in the same cluster.

When you want to avoid using user credentials inside containers for security reasons.

Config File - service-account.yaml

service-account.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default

This file creates a service account named my-service-account in the default namespace. The metadata section sets the name and namespace. Kubernetes will create credentials for this account automatically.

Commands

This command creates the service account in the Kubernetes cluster using the configuration file.

Terminal

kubectl apply -f service-account.yaml

Expected OutputExpected

serviceaccount/my-service-account created

This command lists all service accounts in the current namespace to verify that the new one was created.

Terminal

kubectl get serviceaccounts

Expected OutputExpected

NAME SECRETS AGE default 1 10d my-service-account 1 1m

This command shows detailed information about the service account, including the secret token it uses to authenticate.

Terminal

kubectl describe serviceaccount my-service-account

Expected OutputExpected

Name: my-service-account Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: my-service-account-token-abcde Tokens: my-service-account-token-abcde Events: <none>

This command creates a pod named my-pod that uses the service account my-service-account to access the Kubernetes API securely.

Terminal

kubectl run my-pod --image=nginx --serviceaccount=my-service-account --restart=Never

Expected OutputExpected

pod/my-pod created

→

--serviceaccount - Assigns the specified service account to the pod

→

--restart - Sets pod restart policy; 'Never' means it won't restart automatically

This command lists all pods to confirm that the pod using the service account is running.

Terminal

kubectl get pods

Expected OutputExpected

NAME READY STATUS RESTARTS AGE my-pod 1/1 Running 0 10s

Key Concept

If you remember nothing else from this pattern, remember: service accounts let pods securely access the Kubernetes API with their own identity and permissions.

Common Mistakes

Not specifying the service account when creating a pod, so it uses the default account with limited permissions.

The pod may not have the permissions it needs to perform actions on the Kubernetes API.

Always specify the correct service account with --serviceaccount flag when creating pods that need API access.

Trying to create a service account with a name that already exists without deleting the old one.

Kubernetes will reject the creation because names must be unique in a namespace.

Delete the existing service account first or use a unique name.

Assuming the service account automatically grants permissions without creating Role or ClusterRole bindings.

Service accounts alone do not have permissions; you must bind roles to them.

Create RoleBindings or ClusterRoleBindings to assign permissions to the service account.

Summary

Create a service account using a YAML file and apply it with kubectl.

Verify the service account exists and inspect its details with kubectl get and describe commands.

Assign the service account to a pod to let it access the Kubernetes API securely.