Hi Team I was going through the CKA course and have a doubt in the ServiceAccoun . . .

Kubernetes-Slack Discussions
#1

Nandha Kumar Nagarajan:
Hi Team
I was going through the CKA course and have a doubt in the ServiceAccount section. I created a service account “monitoring-sa” and specified it in a deployment file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-dep
  labels:
    app: monitoring
spec:
  replicas: 1
  selector:
    matchLabels:
      app: monitoring
  template:
    metadata:
      name: my-pod
      labels:
        app: monitoring
    spec:
      serviceAccountName: monitoring-sa
      containers:
      - name: sa-test
        image: ubuntu
        command: ["bash", "-c"]
        args:
        - while true; do
            echo "sleeping";
            sleep 5;
          done

Then I rolled out the deployment and checked the pod describe to see whether the service account “monitoring-sa” is attached or not. Noticed the service account I created is not attached and instead something else “kube-api-access-xxxx” is attached

Containers:
  sa-test:
    Container ID:  <docker://ce60722d6ec736dc127489448d67361b73c9abc0475050ce32838b3432c7445>8
    Image:         ubuntu
    Image ID:      <docker-pullable://ubuntu@sha256:626>ffe58f6e7566e00254b638eb7e0f3b11d4da9675088f4781a50ae288f3322
    Port:          &lt;none&gt;
    Host Port:     &lt;none&gt;
    Command:
      bash
      -c
    Args:
      while true; do echo "sleeping"; sleep 5; done
    State:          Running
      Started:      Thu, 30 Dec 2021 16:15:10 +0000
    Ready:          True
    Restart Count:  0
    Environment:    &lt;none&gt;
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-d6qqh (ro)
Volumes:
  kube-api-access-d6qqh:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       &lt;nil&gt;
    DownwardAPI:             true
#2

Nandha Kumar Nagarajan:
This is confusing me a lot. Any info will be very helpful

#3

Nandha Kumar Nagarajan:
I tried googling but no luck

#4

Ayush Jain:
Service account has an API token attached to it. That gets mounted into the pod. This token is used by the pod to access the kubernetes API to get the details of the object. The kube-api-token-xxxxx is the api token.

#5

Ayush Jain:
To see if the token belongs to the same SA, go inside the pod. Check the token file contents. Copy the content. Use http://jwt.io|jwt.io and paste the content to decode it. In the right side, in the second box you can see the details and service account name as well.

#6

Ayush Jain:
Hope this helps.