= k8s/StudyNotes/ServiceAccounts = * used by e.g. Prometheus, Jenkins * create {{{ kubectl create serviceaccount dashboard-sa kubectl get serviceaccount }}} * Service acount obj, creates tokens in secrets that can be mounted and used by services. * External - export service account token * Internal - mount token in pod * Token can be used in curl e.g. {{{ curl https://192.168.56.71:6443/api -insecure --header "Authorization: Bearer eyJ... }}} * Each namespace had it's own default serviceaccount, very limited, mounted to each pod automatically. {{{ $ kubectl describe pod my-k8s-pod ... Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-j4hkv (ro) ... Volumes default-token-j4hkv: SecretName: default-token-j4hkv ... }}} * the volume mount, will create 3 files, '''ca.crt''', '''namespace''', '''token''' * defaultservice account can be replaced by specifying '''serviceAccountName:''' in pod definition * can disable defaultservice auto mount with '''automountServiceAccountToken: false'''