6.13 Service Accounts
Abstract
Service Accounts provide identity for applications running inside or outside Kubernetes. They allow workloads such as CI/CD tools, monitoring systems, and controllers to securely interact with the Kubernetes API.
User Accounts vs Service Accounts
Kubernetes supports two types of identities.
| Type | Used By | Example |
|---|---|---|
| User Account | Humans | Admins, Developers |
| Service Account | Applications | Prometheus, Jenkins, Controllers |
Note
Service accounts are designed specifically for machine-to-cluster authentication.
Why Service Accounts Matter
Applications often need to interact with Kubernetes:
- CI/CD tools deploy applications
- Monitoring tools read metrics
- Controllers manage cluster resources
- Internal dashboards query cluster state
To do this securely, they require an identity and token.
Tip
Service Accounts provide a secure way for applications to authenticate to the Kubernetes API.
Default Service Account
Every namespace automatically contains a service account named:
View service accounts:
Describe service account:
Warning
Avoid using the default service account for production workloads.
Service Account Tokens
Each service account uses a token for authentication.
The token is used like this:
Applications use this token to authenticate against the Kubernetes API.
Example
CI/CD tools or dashboards pass the token when making API requests.
Service Account Token Inside Pods
When a pod uses a service account:
- Kubernetes generates a short-lived token
- Token is mounted inside the pod
- Applications read the token to call the API
Mounted location:
Files typically include:
Example: Pod Using Service Account
apiVersion: v1
kind: Pod
metadata:
name: dashboard
spec:
serviceAccountName: dashboard-sa
containers:
- name: dashboard
image: my-dashboard
Note
Kubernetes automatically mounts the service account token into the pod.
Creating a Service Account
Create using kubectl:
Declarative YAML:
Creating Tokens (External Access)
For external tools (CI/CD, dashboards):
Create a token manually:
Custom duration:
Tip
These tokens can be used with API requests or Kubernetes dashboards.
Using the Token
Example API request:
The API server verifies:
- Token signature
- Expiration
- Associated service account
- RBAC permissions
Token Rotation
Modern Kubernetes uses short-lived tokens.
Features:
- Automatically rotated
- Bound to pod lifecycle
- Expire when pod is deleted
Success
This significantly improves security compared to older static tokens.
Disable Token Mounting
Sometimes pods should not access the Kubernetes API.
Disable token mounting:
Example:
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-sa
automountServiceAccountToken: false
Or inside pod spec.
Production Best Practices
DO
Success
- Create dedicated service accounts per application
- Apply least privilege RBAC
- Rotate tokens automatically
- Use namespace isolation
- Audit service account usage regularly
DON'T
Danger
- Do NOT use default service account in production
- Do NOT grant cluster-admin permissions
- Do NOT store tokens in plain text
- Do NOT expose tokens in logs
- Do NOT give pods unnecessary API access
Production Security Risks
| Risk | Impact |
|---|---|
| Using default service account | Excess permissions |
| Token leakage | Cluster compromise |
| Over-permissive RBAC | Privilege escalation |
| Static tokens | Long-term exposure |
Typical Production Usage
Service accounts are commonly used for:
| Application | Purpose |
|---|---|
| Prometheus | Read cluster metrics |
| Jenkins | Deploy workloads |
| ArgoCD | Manage deployments |
| Operators | Automate cluster tasks |
Summary
- Service accounts provide identity for applications
- Tokens authenticate applications with the Kubernetes API
- Tokens are automatically mounted into pods
- Tokens are short-lived and rotated
- RBAC controls service account permissions
Quote
Service Accounts are the backbone of secure automation in Kubernetes.