Understanding Kubernetes: Part 29 Service Account

PreviousUnderstanding Kubernetes: Part 28 ClusterRole and ClusterRoleBinding NextUnderstanding Kubernetes: Part 30 Horizontal Pod Autoscaler (HPA)

Last updated 1 month ago

Understanding Kubernetes: Part 29 Service Account

📢 If you’ve been following our Kubernetes series 2025, welcome back! For new readers, check out

Kubernetes Service Account

A Service Account in Kubernetes is used to authenticate Pods and provide them with permissions to access the API server securely. Each Pod runs under a Service Account, which can be assigned specific RBAC (Role-Based Access Control) permissions.

Why Use Service Accounts?

Secure API Access → Provides authentication for Pods to access the Kubernetes API.
Fine-Grained Permissions → Grants only necessary permissions using RBAC.
Workload Identity Management → Helps Pods interact with cloud services securely.

Creating a Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default

This creates a Service Account named my-service-account in the default namespace.

Assigning a Service Account to a Pod

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  serviceAccountName: my-service-account
  containers:
    - name: my-container
      image: my-app-image

The my-service-account is assigned to the Pod, enabling it to authenticate with Kubernetes APIs.

Granting Permissions Using RBAC

By default, a Service Account has no permissions. You must create a Role or ClusterRole and bind it.

Example: Role & RoleBinding (Namespace-Specific Permissions)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: default
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader-binding
  namespace: default
subjects:
  - kind: ServiceAccount
    name: my-service-account
    namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

This allows my-service-account to list and get Pods in the default namespace.

Using Service Account with a Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      serviceAccountName: my-service-account
      containers:
        - name: my-container
          image: my-app-image

Every Pod in this Deployment will use my-service-account for API access.

In My Previous Role

As a Senior DevOps Engineer, I used Service Accounts to:

Restrict access to Kubernetes resources by assigning minimal privileges.
Authenticate applications securely when integrating with AWS IAM roles for EKS using service account annotations.
Implement Least Privilege Principle using RBAC policies for security-critical workloads.

This improved security, minimized risks, and ensured safe API interactions in Kubernetes clusters. 🚀

🚀 Ready to Master Kubernetes?

Take your Kubernetes journey to the next level with the Master Kubernetes: Zero to Hero course! 🌟 Whether you’re a beginner or aiming to sharpen your skills, this hands-on course covers:

✅ Kubernetes Basics — Grasp essential concepts like nodes, pods, and services. ✅ Advanced Scaling — Learn HPA, VPA, and resource optimization. ✅ Monitoring Tools — Master Prometheus, Grafana, and AlertManager. ✅ Real-World Scenarios — Build production-ready Kubernetes setups.

🔥 Flash Sale: Buy Kubernetes Course, Get Terraform FREE! Limited Time Offer!

Don’t miss your chance to become a Kubernetes expert! 💻✨

🚀 Master Terraform: Infrastructure as Code