Kubernetes has two types of accounts:
k get serviceaccount
k describe serviceaccount <service-account-name>
k create serviceaccount <service-account-name>
When a service account is created, it generates a token to be used by the external application to authenticate to the K8s API. It then creates a secret object and stores the token as a secret. The secret object is then linked to the service account. The token can be viewed by describing the secret object. This token can be used as a Bearer token when making calls to the KubeAPI Server.
If the application accessing the K8s API is a part of the K8s cluster itself, the process of sharing the token with the application can be made simpler by mounting the secret object as a volume in the pod of the application. That way the token is available to the application inside the pod and we don’t have to provide it manually. So, any process within the pod can access the token to query the K8s API.
For every namespace, a default
service account is created automatically. When a pod is created in a namespace, the default service account is automatically associated with the pod and its token (secret object) is automatically mounted to the pod as a volume mount at location /var/run/secrets/kubernetes.io/serviceaccount
. This can be viewed by describing the pod.
The secret is mounted as 3 separate files out of which token contains the access token in plain text format.
<aside> 💡 The default service account only has permissions to run basic K8s API queries.
</aside>