Question

I want my kubernetes pod to use a service account other than the default . How to configure my pod to use multiple service accounts?

Answer 1

• A service account provides an identity for processes that run in a Pod.

• When you create a pod, if you do not specify a service account, it is automatically assigned the defaultservice account in the same namespace.

• Every namespace has a default service account resource called default. 

• You can list this and any other serviceAccount resources in the namespace with this command:

kubectl get serviceAccounts

• The output would be something like this:

NAME      SECRETS    AGE
default   1          1d

• You can create additional ServiceAccount objects like this:

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
EOF

• If you get a complete dump of the service account object, like this:

kubectl get serviceaccounts/build-robot -o yaml

• The output is similar to this:

apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: 2015-06-16T00:12:59Z
  name: build-robot
  namespace: default
  resourceVersion: "272500"
  selfLink: /api/v1/namespaces/default/serviceaccounts/build-robot
  uid: 721ab723-13bc-11e5-aec2-42010af0021e
secrets:
- name: build-robot-token-bvbk5

• then you will see that a token has automatically been created and is referenced by the service account.

• You may use authorization plugins to set permissions on service accounts.

• To use a non-default service account, simply set the spec.serviceAccountName field of a pod to the name of the service account you wish to use.

• The service account has to exist at the time the pod is created, or it will be rejected.

• You cannot update the service account of an already created pod.

• You can clean up the service account from this example like this:

kubectl delete serviceaccount/build-robot

Source : Kubernetes docs.