Service Accounts

Learn how to put the latest open source technology into practice with hands-on training, delivered by industry experts, aligned to your desired business outcomes

Service Accounts are users managed by the Kubernetes API that provide processes in a pod with an identity in the cluster. Service Accounts are bound to a set of credentials stored as secrets in the same namespace in the cluster. Every container in a pod within a namespace inherits credentials from their designated service account.

Service Accounts are entirely managed by the API, and are created by making API calls to the Kubernetes API server. kubectl automates the process of creating service accounts with the create subcommand. The example below shows an imperative command that creates a serviceAccount called ckadexample under the namespace called ckadtraining:


$ kubectl create namespace ckadtraining

$ kubectl create serviceaccount ckadexample --namespace ckadtraining

A service account has no permissions within the cluster by default. The service account must be bound to a role that defines its permissions using a rolebinding. The following example creates a role that allows our new service account to view pods within the ckadtraining namespace and a rolebinding that grants those permissions to the ckadexample SA:


$ kubectl create role ckadsarole\
--namespace ckadtraining \
--verb=get,list,watch \
 --resource=pods

$ kubectl create rolebinding ckadsarolebinding \
--namespace ckadtraining \
--role=mysarole \
--serviceaccount=ckadtraining:ckadexample

$

Learn more about Service Accounts.