Understanding Kubernetes: Part 29 Service Account

📢 If you’ve been following our Kubernetes series 2025, welcome back! For new readers, check out Part 28: ClusterRole and ClusterRoleBinding
Kubernetes Service Account
A Service Account in Kubernetes is used to authenticate Pods and provide them with permissions to access the API server securely. Each Pod runs under a Service Account, which can be assigned specific RBAC (Role-Based Access Control) permissions.
Why Use Service Accounts?
Secure API Access → Provides authentication for Pods to access the Kubernetes API.
Fine-Grained Permissions → Grants only necessary permissions using RBAC.
Workload Identity Management → Helps Pods interact with cloud services securely.
Creating a Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-service-account
namespace: default
This creates a Service Account named
my-service-account
in thedefault
namespace.
Assigning a Service Account to a Pod
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: my-service-account
containers:
- name: my-container
image: my-app-image
The
my-service-account
is assigned to the Pod, enabling it to authenticate with Kubernetes APIs.
Granting Permissions Using RBAC
By default, a Service Account has no permissions. You must create a Role or ClusterRole and bind it.
Example: Role & RoleBinding (Namespace-Specific Permissions)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: default
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader-binding
namespace: default
subjects:
- kind: ServiceAccount
name: my-service-account
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
This allows
my-service-account
to list and get Pods in thedefault
namespace.
Using Service Account with a Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-deployment
spec:
replicas: 2
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
serviceAccountName: my-service-account
containers:
- name: my-container
image: my-app-image
Every Pod in this Deployment will use
my-service-account
for API access.
In My Previous Role
As a Senior DevOps Engineer, I used Service Accounts to:
Restrict access to Kubernetes resources by assigning minimal privileges.
Authenticate applications securely when integrating with AWS IAM roles for EKS using service account annotations.
Implement Least Privilege Principle using RBAC policies for security-critical workloads.
This improved security, minimized risks, and ensured safe API interactions in Kubernetes clusters. 🚀
🚀 Ready to Master Kubernetes?
Take your Kubernetes journey to the next level with the Master Kubernetes: Zero to Hero course! 🌟 Whether you’re a beginner or aiming to sharpen your skills, this hands-on course covers:
✅ Kubernetes Basics — Grasp essential concepts like nodes, pods, and services. ✅ Advanced Scaling — Learn HPA, VPA, and resource optimization. ✅ Monitoring Tools — Master Prometheus, Grafana, and AlertManager. ✅ Real-World Scenarios — Build production-ready Kubernetes setups.
🔥 Flash Sale: Buy Kubernetes Course, Get Terraform FREE! Limited Time Offer!
🔥 Start Learning Now: [Join the Master Kubernetes Course + FREE Access to Terraform Course](https://cloudops0.gumroad.com/l/k8s)
Don’t miss your chance to become a Kubernetes expert! 💻✨
🚀 Stay ahead in DevOps and SRE! 🔔 Subscribe now and never miss a beat on Kubernetes and more. 🌟
🚀 Master Terraform: Infrastructure as Code
🔥 Start Learning Now: Join the Master Terraform Course
Last updated