0
0
Kubernetesdevops~10 mins

Service accounts in Kubernetes - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Service accounts
Create ServiceAccount YAML
kubectl apply -f serviceaccount.yaml
Kubernetes API Server creates ServiceAccount object
Pod spec references ServiceAccount
Pod starts with ServiceAccount token mounted
Pod uses token to authenticate to API Server
This flow shows how a Kubernetes ServiceAccount is created, applied, linked to a Pod, and used for API authentication.
Execution Sample
Kubernetes
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
---
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: my-service-account
  containers:
  - name: app
    image: busybox
    command: ["sleep", "3600"]
This YAML creates a ServiceAccount and a Pod that uses it to authenticate with the Kubernetes API.
Process Table
StepActionResource Created/UpdatedState ChangeResult
1Apply ServiceAccount YAMLServiceAccount 'my-service-account'ServiceAccount object created in clusterServiceAccount available for pods
2Apply Pod YAML referencing ServiceAccountPod 'my-pod'Pod spec includes serviceAccountName: my-service-accountPod created (Pending)
3Pod starts runningPod 'my-pod' runningServiceAccount token mounted in Pod filesystemPod can authenticate to API Server using token
4Pod uses token to call APIAPI Server authenticationToken validatedPod authorized as 'my-service-account'
5Pod terminates or deletedPod removedServiceAccount remainsServiceAccount reusable for other pods
💡 Pod lifecycle ends; ServiceAccount persists independently
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
ServiceAccount 'my-service-account'Not presentCreatedExistsExistsExistsExists
Pod 'my-pod'Not presentNot presentCreated (Pending)Running with SA tokenRunning with SA tokenDeleted
SA Token in PodNoneNoneNoneMountedUsed for API authRemoved with Pod
Key Moments - 3 Insights
Why does the ServiceAccount still exist after the Pod is deleted?
Because ServiceAccounts are cluster resources independent of Pods. The execution_table row 5 shows the Pod is removed but the ServiceAccount remains for reuse.
How does the Pod get the ServiceAccount token?
The Pod spec references the ServiceAccount name (row 2), so Kubernetes mounts the token automatically inside the Pod when it starts (row 3).
Can a Pod authenticate to the API Server without a ServiceAccount?
By default, Pods use the default ServiceAccount in their namespace. Without specifying one, Kubernetes still mounts a token for authentication.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step is the ServiceAccount token mounted inside the Pod?
AStep 3
BStep 4
CStep 2
DStep 5
💡 Hint
Check the 'State Change' column for when the token is mounted (Step 3).
According to variable_tracker, what is the state of the Pod after Step 4?
ANot present
BCreated but not running
CRunning with SA token
DDeleted
💡 Hint
Look at the 'Pod my-pod' row under 'After Step 4' column.
If the Pod YAML did not specify serviceAccountName, what would happen?
APod would not start
BPod would use the default ServiceAccount
CPod would have no API access
DPod would create a new ServiceAccount automatically
💡 Hint
Recall Kubernetes default behavior for Pods without explicit ServiceAccount (key_moments #3).
Concept Snapshot
ServiceAccount in Kubernetes:
- Defines identity for Pods to access API Server
- Created as a cluster resource (kubectl apply)
- Pod spec references ServiceAccount by name
- Kubernetes mounts token inside Pod automatically
- Token used for API authentication
- ServiceAccount persists beyond Pod lifecycle
Full Transcript
This visual execution trace shows how Kubernetes ServiceAccounts work. First, a ServiceAccount resource is created using YAML and applied to the cluster. Then, a Pod is created referencing this ServiceAccount by name. When the Pod starts, Kubernetes mounts the ServiceAccount token inside the Pod automatically. The Pod uses this token to authenticate to the Kubernetes API Server. Even after the Pod is deleted, the ServiceAccount remains available for other Pods. This separation allows secure and reusable identities for Pods to interact with the cluster.