Service Accounts are users managed by the Kubernetes API that provide processes in a pod with an identity in the cluster. Service Accounts are bound to a set of credentials stored as secrets in the same namespace in the cluster. Every container in a pod within a namespace inherits credentials from their designated service account.
Service Accounts are entirely managed by the API, and are created by making API calls to the Kubernetes API server.
kubectl automates the process of creating service accounts with the
create subcommand. The example below shows an imperative command that creates a serviceAccount called
ckadexample under the namespace called
$ kubectl create namespace ckadtraining $ kubectl create serviceaccount ckadexample --namespace ckadtraining
A service account has no permissions within the cluster by default. The service account must be bound to a role that defines its permissions using a rolebinding. The following example creates a role that allows our new service account to view pods within the ckadtraining namespace and a rolebinding that grants those permissions to the ckadexample SA:
$ kubectl create role ckadsarole\ --namespace ckadtraining \ --verb=get,list,watch \ --resource=pods $ kubectl create rolebinding ckadsarolebinding \ --namespace ckadtraining \ --role=mysarole \ --serviceaccount=ckadtraining:ckadexample $
Learn more about Service Accounts.