What Are Kubernetes Service Accounts Used For?

Today, I had somebody ask if Kubernetes service accounts could be used for zero trust between services deployed to Kubernetes.

Short answer, no.

But it did drive me to review what Kubernetes service accounts can do:

Your Pods need to communicate with the Kubernetes API server, for example in situations such as the following:

Providing read-only access to sensitive information stored in Secrets.

Granting cross-namespace access, such as allowing a Pod in namespace example to read, list, and watch for Lease objects in the kube-node-lease namespace.

Your Pods need to communicate with an external service. For example, a workload Pod requires an identity for a commercially available cloud API, and the commercial provider allows configuring a suitable trust relationship.

Authenticating to a private image registry using an imagePullSecret.

An external service needs to communicate with the Kubernetes API server. For example, authenticating to the cluster as part of a CI/CD pipeline.

You use third-party security software in your cluster that relies on the ServiceAccount identity of different Pods to group those Pods into different contexts.

Link to docs

On top of that, we use service accounts in EKS to give pods IAM roles.

Join the 80/20 DevOps Newsletter

If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.

Not sure yet? Check out the archive.

Unsubscribe at any time.