What Are Kubernetes Service Accounts Used For?
Today, I had somebody ask if Kubernetes service accounts could be used for zero trust between services deployed to Kubernetes.
Short answer, no.
But it did drive me to review what Kubernetes service accounts can do:
Your Pods need to communicate with the Kubernetes API server, for example in situations such as the following:
Providing read-only access to sensitive information stored in Secrets.
Granting cross-namespace access, such as allowing a Pod in namespace example to read, list, and watch for Lease objects in the kube-node-lease namespace.
Your Pods need to communicate with an external service. For example, a workload Pod requires an identity for a commercially available cloud API, and the commercial provider allows configuring a suitable trust relationship.
Authenticating to a private image registry using an imagePullSecret.
An external service needs to communicate with the Kubernetes API server. For example, authenticating to the cluster as part of a CI/CD pipeline.
You use third-party security software in your cluster that relies on the ServiceAccount identity of different Pods to group those Pods into different contexts.
On top of that, we use service accounts in EKS to give pods IAM roles.
Master GitHub Actions with a Senior Infrastructure Engineer
As a senior staff infrastructure engineer, I share exclusive, behind-the-scenes insights that you won't find anywhere else. Get the strategies and techniques I've used to save companies $500k in CI costs and transform teams with GitOps best practices—delivered straight to your inbox.
Not sure yet? Check out the archive.
Unsubscribe at any time.