I am trying to add a service account to the pod but I cannot see it being mounte . . .

DIVYA SINGHAL:
I am trying to add a service account to the pod but I cannot see it being mounted to the pod with the kubectl describe pod.
i can see the default secret only mounted:

ounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-x2rs4 (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             True 
  ContainersReady   True 
  PodScheduled      True 
Volumes:
  kube-api-access-x2rs4:
    Type:                    Projected (a volume that contains injected data from multiple sources)

can someone help with what i may be doing wrong here?

Alistair Mackay:
Please post the YAML used to create the pod

DIVYA SINGHAL:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: nginx
  name: pvviewer
spec:
  serviceAccountName: pvviewer
  containers:
  - image: nginx
    name: nginx
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

Alistair Mackay:
Ok, looks fine

/var/run/secrets/kubernetes.io/serviceaccount

This is a directory what has been auto-mounted in the pod for the given service account pvviewer
This directory will contain a file called token which is a bearer token for access to the API server.
You will be able to perform whatever operations have been granted to the pvviewer SA by any role bound to it.

DIVYA SINGHAL:
how can i check if sa has been mounted correctly?

DIVYA SINGHAL:
i steps i performed for solving this questions are

Alistair Mackay:
I think the pod would fail to create if the service account did not exist

DIVYA SINGHAL:
k create sa

Name:                pvviewer
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   <none>
Tokens:              <none>
Events:              <none>

DIVYA SINGHAL:
i cannot see any token mounted on it after i cretaed the sa

Alistair Mackay:

kubectl exec nginx -it -- /bin/sh

This gets you into the pod, then

ls -l /var/run/secrets/kubernetes.io/serviceaccount

and you should see a file called token

DIVYA SINGHAL:
yes i can see that

Alistair Mackay:
Then the SA token is mounted

DIVYA SINGHAL:
but how can i be sure that this taken is from the sa i created and not the default sa

Alistair Mackay:

spec:
  serviceAccountName: pvviewer

DIVYA SINGHAL:
cant we see that in the k describe pod under volume mount?

Alistair Mackay:
Because you have told it to use a specific SA.
It’s only not going to be that SA if there is a bug in kubernetes - and that would be a very serious bug!

DIVYA SINGHAL:
the spec you shared its from the pod.yaml only right

DIVYA SINGHAL:
umm yess i do not see the SA and i am working on one of the kodecloud lab only.

DIVYA SINGHAL:
Not sure if there is a bug or something else in it.

DIVYA SINGHAL:
the steps i followed for my activity: