Service Accounts in K8s (Kubernetes)

In this post let’s try understanding

  • What is a service account in K8s
  • Why do we need it?
  • Example on the same

K8s applications run in Pods. Pods usually need access to resources from cloud vendors like aws, gcloud, azure, etc.

Isn’t this equivalent of what we do in aws world? just create an IAM-Role with policies to talk with aws resources?

Well not really…

But why? why can’t we just use an IAM-Role and move on in life? why add more complexity?

Pod’s life is not simple 😃, it is ephemeral in nature, it might belong to different namespaces, might come up and down(causing change in properties) etc. So one would have to inject the IAM-Role at a place where pods are born, so any new pods coming up would have this property available to them(like deployment manifest).

But the catch here is IAM-Role is an aws concept, and we cannot use the same in K8s constructs directly(these are two different domains). Thats where Service Accounts come in. Service account is a K8s construct and hence can be associated with a deployment manifest.

How does a Service account & associated IAM role communicate with the aws IAM service?

IAM OIDC provider helps facilitate this at the cluster level(set it up once & one should be good to go).

But what if a service account is not used in the manifest file, so we still have one?

When a service account is not used, default one is used.

How do we create a service account?

What is the scope of service account?

Service accounts are restricted to the namespace they are created in. Clusterrole (kubectl get clusterrole) are used for permissions related to an entire cluster.

To use service account in a pod, something like below can be used. This would provide my-pod all policies defined by service account sample-service-account . See how the namespace should be in the same namespace as the one in which the service account was created in.

There are more concepts here like ClusterRoleBinding, Role, ClusterRole etc. which are related to service accounts in K8s, which we can look into in a followup article. Hope this was useful in explaining service accounts in K8s. Would love to hear your feedback in comments. Till next time ciao and stay safe! 👋

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sandeep Baldawa

whoami >> Slack, Prev — Springpath (Acquired by Cisco), VMware, Backend Engineer, Build & Release, Infra, Devops & Cybersecurity Enthusiast