ServiceAccounts, Tokens, and Identity

You create a ServiceAccount, bind a Role, and the pod authenticates to the API server. That much is straightforward. But what actually happens between setting spec.serviceAccountName and a signed JWT appearing at /var/run/secrets/kubernetes.io/serviceaccount/token? Three separate control plane components coordinate to make it work: an admission controller, the TokenRequest API, and the kubelet's token manager.

ServiceAccounts sit at the intersection of authentication and authorization. The previous lesson on RBAC covered the authorization side: Roles, ClusterRoles, and bindings. This lesson covers the identity side: how Kubernetes issues, rotates, validates, and federates workload credentials. The CKA exam tests this within the Cluster Architecture domain (25%), and tasks range from creating ServiceAccounts to verifying permissions with kubectl auth can-i --as=system:serviceaccount:monitoring:prometheus.