Can some one explain to me why we need to create a pod in this questions.
As I understand it a service wants to access to be able to list all PersistentVolumes. So we created a service account and a cluster role (since PersistentVolumes is a cluster wide resource) we then linked the two using clusterrolebinding. However, I don’t understand why we have to create a pod?
We are creating a pod, because we are giving that pod the service account credential. Were an application running in that pod some kind of dashboard for viewing persistent volumes, then it would need the appropriate permissions to call kube-apiserver to get that information (only that and no more - least priviledge)
Note that when a service account is associated with a pod, then the credentials are implicitly mounted as files in the container’s file system.