๐ Myth: "Every pod in Kubernetes must need a service account to function."
โ Reality: A service account is only needed when a pod needs to communicate with the Kubernetes API server or requires an identity for authentication.
But, Kubernetes assigns one to every pod by default.
๐ Why does Kubernetes do this?
Some workloads need to interact with the API server (e.g., retrieving secrets, managing resources, scaling applications).
Kubernetes enforces a secure-by-default approach, ensuring every pod has an identityโeven if it never uses it.
It follows RBAC (Role-Based Access Control) best practices, restricting what workloads can do in the cluster.
โ ๏ธ But what if my pod doesnโt need API access?
Even if your pod doesnโt interact with the Kubernetes API, it still gets a default service account. You canโt remove it, but you can strip its power to improve security.
You can disable token mount at two levels, Pod level and SA level.
๐Which One to Use?
Use pod-level: When you only want to restrict specific pods.
Use SA-level: When you want to enforce the restriction namespace-wide for all pods using that SA.
Tip: If both are set, the pod-level setting takes precedence.
๐ก Bottom Line: You canโt remove the service account itself, but you can make it powerless by removing its token.
This is a simple yet effective way to reduce unnecessary attack surfaces in your cluster.
Top comments (0)