Can a pod use more than one service account

mabdulshakur54 · June 8, 2024, 8:04pm

rob_kodekloud · June 8, 2024, 8:19pm

No; the serviceAccountName field is single valued.

mabdulshakur54 · June 9, 2024, 2:03pm

okay thanks.

what happens when a time-bound service account expires?
Is it renewed automatically or must it be renewed manually

rob_kodekloud · June 9, 2024, 6:57pm

If I understand the docs correctly, the kublet corresponding to that pod will rotate the token before it expires.

Alistair_KodeKloud · June 9, 2024, 7:26pm

That is indeed what happens. If you are using software in the pod that was built with a Kubernetes client library newer or equal to the version when this change was first introduced (1.22 I think), it will just work.

If you have software that uses the automounted token directly (by reading it from the mounted volume), then it should not cache this token as it will change when Kubernetes rotates it.