I'm a little confused about the default Service Account in new created Namespace in my Minikube.
- Does it have any permissions? It seems not because I can't find any rolebinding or clusterrolebindung which references this SA
- Then why is it created when it does not have a permission, or is there a use case around that?
- and lastly, why are service accounts by default mount to pods?
Regards ralph
The default service account doesn’t have enough permissions to retrieve the services running in the same namespace.
Kubernetes follows the convention of closed-to-open which means that by default no user or service account has any permissions.
To fulfill this request, we need to create a role binding associating the default service account with an appropriate role.This is similar to how we assign a viewer role to the service account that can give permission to list pods.
Pods have the default service account assigned even when you don’t ask for it. This is because every pod in the cluster needs to have one (and only one) service account assigned to it.
Refer Kubernetes namespace default service account for more information.