The API credentials for service accounts are normally mounted in pods as:

/var/run/secrets/kubernetes.io/serviceaccount/token

This token allows containerized processes in the pod to communicate with the API server.

What's the purpose of a pod's service account (serviceAccountName), if automountServiceAccountToken is set to false?

CodePudding user response：

The purpose of service account is not related to automountServiceAccountToken; whether you opt-in or out to have the credential mounted for you does not change the access level of the service account. Even if you don't specify a service account name, the default service account will be associated with your pod.

CodePudding user response：

A little of theory:

Let's start with what happens when pod should be created.

When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace

Reference.

So all pods are linked to service account anyway (default or specified in spec).

Then API access token is always generated for each service account.

automountServiceAccountToken flag defines if this token will automatically mounted to the pod after it has been created.

Answer:

What's the purpose of a pod's service account (serviceAccountName), if automountServiceAccountToken is set to false?

It may make a difference depending on what processes are involved in pod creation. Good example is in comments in GitHub issue (where this flag eventually came from):

There are use cases for still creating a token (for use with external systems) or still associating a service account with a pod (for use with image pull secrets), but being able to opt out of API token automount (either for a particular pod, or for a particular service account) is useful.