In Kubernetes, there are two types of account; service accounts and user accounts. The major difference between them is that user accounts are not stored and managed in Kubernetes itself. They cannot be added through API calls. The following table is a simple comparison:
|
Service account |
User account |
Scope |
Namespaced |
Global |
Used by |
Processes |
Normal user |
Created by |
API server or via API calls |
Administrators, can't be added via API calls |
Managed by |
API server |
Outside the cluster |
Service accounts are used by processes inside a Pod to contact the API server. Kubernetes by default will create a service account named default. If there is no service account associated with a Pod, it'll be assigned to the default service account:
// check default service accoun
# kubectl describe serviceaccount default
Name: default
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: default-token-q4qdh
Tokens: default-token-q4qdh
Events: <none>
We may find there is a Secret associated with this service account. This is controlled by the token controller manager. When a new service account is created, the controller will create a token and associate it with the service account with the kubernetes.io/service-account.name annotation, allowing API access. Token is in the Secret format in Kubernetes. Anybody with the Secret view permission can see the token. The following is an example of creating a service account:
// configuration file of a ServiceAccount named chapter8-serviceaccount
# cat serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: chapter8-serviceaccount
// create service account
# kubectl create -f serviceaccount.yaml
serviceaccount "chapter8-serviceaccount" created
// describe the service account we just created
# kubectl describe serviceaccount chapter8-serviceaccount
Name: chapter8-serviceaccount
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: chapter8-serviceaccount-token-nxh47
Tokens: chapter8-serviceaccount-token-nxh47
Events: <none>