In Kubernetes every namespace has a default
ServiceAccount with which Pods in that namespace are executed. In order to enable more fine grained identity and role based access control and in order to be prepared for a zero-trust setup using service mesh technologies like Istio, all applications should be configured to run under specific service accounts.
A deployment running under a specific service account. Use the following command to deploy the example:
kubectl apply -f examples/
Inspect the serviceAccountName
attribute of the pod which was scheduled:
kubectl get pod $(kubectl get pods --selector=app=example -o jsonpath='{.items[0].metadata.name}') -o jsonpath='{.spec.serviceAccountName}'
Clean up with the following command:
kubectl delete -f example/