Security Basics: RBAC and Service Accounts

Every Pod in your cluster gets an API token mounted at /var/run/secrets/kubernetes.io/serviceaccount/token. Every single one, unless you explicitly opt out. If you have not configured RBAC carefully, the answer to "what can this Pod do?" ranges from "almost nothing" to "far more than you intended."

Kubernetes controls API access with two mechanisms. Role-based access control (RBAC) defines what actions are permitted on which resources. ServiceAccounts provide the identities that workloads use to authenticate. Together, they enforce the principle of least privilege: every workload gets exactly the permissions it needs, and nothing more.