Understanding Kubernetes: Part 29 Service Account


📢 If you’ve been following our Kubernetes series 2025, welcome back! For new readers, check out Part 28: ClusterRole and ClusterRoleBinding

Kubernetes Service Account

A Service Account in Kubernetes is used to authenticate Pods and provide them with permissions to access the API server securely. Each Pod runs under a Service Account, which can be assigned specific RBAC (Role-Based Access Control) permissions.


Why Use Service Accounts?

  1. Secure API Access → Provides authentication for Pods to access the Kubernetes API.

  2. Fine-Grained Permissions → Grants only necessary permissions using RBAC.

  3. Workload Identity Management → Helps Pods interact with cloud services securely.


Creating a Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default
  • This creates a Service Account named my-service-account in the default namespace.


Assigning a Service Account to a Pod

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: my-service-account
  containers:
    - name: my-container
      image: my-app-image
  • The my-service-account is assigned to the Pod, enabling it to authenticate with Kubernetes APIs.


Granting Permissions Using RBAC

By default, a Service Account has no permissions. You must create a Role or ClusterRole and bind it.

Example: Role & RoleBinding (Namespace-Specific Permissions)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: default
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader-binding
  namespace: default
subjects:
  - kind: ServiceAccount
    name: my-service-account
    namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
  • This allows my-service-account to list and get Pods in the default namespace.


Using Service Account with a Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: my-service-account
      containers:
        - name: my-container
          image: my-app-image
  • Every Pod in this Deployment will use my-service-account for API access.


In My Previous Role

As a Senior DevOps Engineer, I used Service Accounts to:

  • Restrict access to Kubernetes resources by assigning minimal privileges.

  • Authenticate applications securely when integrating with AWS IAM roles for EKS using service account annotations.

  • Implement Least Privilege Principle using RBAC policies for security-critical workloads.

This improved security, minimized risks, and ensured safe API interactions in Kubernetes clusters. 🚀

🚀 Ready to Master Kubernetes?

Take your Kubernetes journey to the next level with the Master Kubernetes: Zero to Hero course! 🌟 Whether you’re a beginner or aiming to sharpen your skills, this hands-on course covers:

✅ Kubernetes Basics — Grasp essential concepts like nodes, pods, and services. ✅ Advanced Scaling — Learn HPA, VPA, and resource optimization. ✅ Monitoring Tools — Master Prometheus, Grafana, and AlertManager. ✅ Real-World Scenarios — Build production-ready Kubernetes setups.

🔥 Flash Sale: Buy Kubernetes Course, Get Terraform FREE! Limited Time Offer!

🔥 Start Learning Now: [Join the Master Kubernetes Course + FREE Access to Terraform Course](https://cloudops0.gumroad.com/l/k8s)

Don’t miss your chance to become a Kubernetes expert! 💻✨

🚀 Stay ahead in DevOps and SRE! 🔔 Subscribe now and never miss a beat on Kubernetes and more. 🌟

🚀 Master Terraform: Infrastructure as Code

🔥 Start Learning Now: Join the Master Terraform Course

Last updated