A Service Account in Kubernetes is a special type of non-human privileged account that provides an identity for processes that run in a Pod.
When you create a Pod, if you do not specify a Service Account, it is automatically assigned the default Service Account in the same Namespace.
This note shows how to list the Service Accounts in a Kubernetes cluster and how to get the Roles and permissions associated with a Service Account.
Cool Tip: Get Pod’s logs using the kubectl command! Read more →
Service Accounts are not User Accounts: User accounts are used by humans e.g. administrators or developers, to access a Kubernetes cluster to do some development work or maintenance. While Service Accounts are used by in-cluster Kubernetes entities, such as Pods, to authenticate to the Kubernetes API server or external services.
Run one of these commands to list the Service Accounts in a K8s cluster:
$ kubectl get serviceaccounts # In the current Namespace $ kubectl get serviceaccounts --namespace=<nameSpaceName> # In the specific Namespace $ kubectl get serviceaccounts --all-namespaces # In the all Namespaces
Like with any other Kubernetes resources you can get more details about your Service Account as follows:
$ kubectl describe sa <ServiceAccountName>
Get ServiceAccount Roles & Permissions
Let’s assume that your cluster uses Role-Based Access Control (RBAC) way of granting users access to Kubernetes API resources (this can be check by running the kubectl api-versions command).
In RBAC mode, Roles and ClusterRoles define the actions a user can perform within a namespace or cluster, respectively.
You can show the Roles and CluserRoles with the associated Service Accounts by running the following command:
$ kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide
To get a more pretty output you can execute the following one-liner (spitted over multiple lines for better readability):
$ kubectl get rolebinding,clusterrolebinding \
--all-namespaces \
-o jsonpath='{range .items[?(@.subjects[0].name=="<ServiceAccountName>")]}
[{.roleRef.kind},{.roleRef.name}]{end}'; echo
- sample output -
[Role,<roleName>][ClusterRole,<clusterRoleName>]
Alternatively you can generate a compact role mapping table and grep for the name of your Service Account as follows:
$ kubectl get rolebinding,clusterrolebinding \
--all-namespaces \
-o custom-columns='KIND:kind,
NAMESPACE:metadata.namespace,
NAME:metadata.name,
SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name' |\
{ head -1; grep "<ServiceAccountName>"; }
- sample output -
KIND NAMESPACE NAME SERVICE_ACCOUNT
RoleBinding default <roleName> <serviceAccountName>
ClusterRoleBuinding <none> <clusterRoleName> <serviceAccountName>
Once you have found the Roles associated with your Service Account, you can display the permissions by running the following command:
$ kubectl describe role <RoleName>
- sample output -
Name: <roleName>
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pods/exec [] [] [create delete get list patch update watch]
pods [] [] [create delete get list patch update watch]
events [] [] [get list watch]
pod/log [] [] [get list watch]
Cool Tip: How to increase a verbosity of the kubectl command! Read more →