Script Valley
Kubernetes: From Containers to Clusters
Security, RBAC, and Production ReadinessLesson 6.2

Kubernetes ServiceAccounts: how pods authenticate to the API server

ServiceAccount definition, default ServiceAccount, automountServiceAccountToken, projected service account token, RBAC binding to ServiceAccount, service account use in pods, token expiry and rotation

Every Pod Has an Identity

Kubernetes ServiceAccount token authentication diagram

When a Pod makes API calls (e.g., a controller listing Pods), it authenticates using a ServiceAccount token mounted at a well-known path. Every namespace has a default ServiceAccount that is automatically assigned to Pods that do not specify one.

Creating a Custom ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: app-sa
  namespace: production
automountServiceAccountToken: false   # opt-in instead of auto

Assigning to a Pod

spec:
  serviceAccountName: app-sa
  automountServiceAccountToken: true    # override if needed

Why Disable Auto-Mount

By default, Kubernetes mounts a ServiceAccount token into every Pod — even Pods that never call the API. This is an unnecessary attack surface. Disable auto-mounting at the ServiceAccount level and enable it only on Pods that genuinely need API access.

# Check what token is mounted in a running pod
kubectl exec -it my-pod -- cat /var/run/secrets/kubernetes.io/serviceaccount/token |   cut -d. -f2 | base64 -d | python3 -m json.tool

Up next

Kubernetes security contexts: running pods with least privilege

Sign in to track progress