Konubinix' opinionated web of thoughts

Service Accounts for Pod

Fleeting

Configure Service Accounts for Pods | Kubernetes

Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

You can access the API from inside a pod using automatically mounted service account credentials

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace.

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Every namespace has a default service account resource called default

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

a token has automatically been created and is referenced by the service account.

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

service account has to exist at the time the pod is created, or it will be rejected.

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

cannot update the service account of an already created pod.

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

User accounts are for humans. Service accounts are for processes, which run in pods.

https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/

User accounts are intended to be global. Names must be unique across all namespaces of a cluster. Service accounts are namespaced.

https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/