= k8s/StudyNotes/ServiceAccounts =
 * used by e.g. Prometheus, Jenkins

 * create {{{
kubectl create serviceaccount dashboard-sa
kubectl get serviceaccount 
}}}

 * Service acount obj, creates tokens in secrets that can be mounted and used by services.
   * External - export service account token
   * Internal - mount token in pod

 * Token can be used in curl e.g. {{{
curl https://192.168.56.71:6443/api -insecure --header "Authorization: Bearer eyJ...
}}}
 
 * Each namespace had it's own default serviceaccount, very limited, mounted to each pod automatically. {{{
$ kubectl describe pod my-k8s-pod
...
Mounts:
  /var/run/secrets/kubernetes.io/serviceaccount from default-token-j4hkv (ro)
... 
Volumes
  default-token-j4hkv:
    SecretName: default-token-j4hkv
...
}}}
 * the volume mount, will create 3 files,  '''ca.crt''', '''namespace''', '''token'''
 * defaultservice account can be replaced by specifying '''serviceAccountName:''' in pod definition
   * can disable defaultservice auto mount with '''automountServiceAccountToken: false'''