ServiceAccounts and Token Management

Every pod in your cluster is running with a Kubernetes identity. You didn't necessarily choose it — Kubernetes assigned the default ServiceAccount automatically, mounted a token into the pod's filesystem, and moved on. Most of the time you don't notice. Until you do.

The moment someone binds a ClusterRole to the default SA in your staging namespace to "quickly test something," every workload in that namespace inherits those permissions. Or you audit a cluster upgraded from pre-1.24 and find dozens of Secret-based tokens from ServiceAccounts that no longer exist — never expiring, never cleaned up. These aren't theoretical edge cases — they show up during security reviews and incident postmortems.