Question on Service Account - I have created a service account and used it in a . . .

Tanumoy Ghosh:
Question on Service Account - I have created a service account and used it in a pod yaml, how can I verify whether the pod is applied with that service account ?

Fernando Jimenez:
Take a look at the pod’s description. There would be a token issued with the serviceaccount name.

Tanumoy Ghosh:
I did not get you exactly, this is what I could see:

$ kubectl get po nginx -o yaml | grep serviceAccountName:
  serviceAccountName: myuser
$ kubectl describe po nginx | grep -i "token\|serviceaccount"
      /var/run/secrets/ from kube-api-access-mnnmh (ro)
    TokenExpirationSeconds:  3607
$ kubectl get sa myuser -o yaml
apiVersion: v1
kind: ServiceAccount
  creationTimestamp: "2021-05-19T19:40:36Z"
  name: myuser
  namespace: default
  resourceVersion: "45650"
  uid: af48e4e8-0eb3-46e5-81b3-85322586e928
- name: myuser-token-n4bvc

How can I relate ?

Rahul B:
Try this

k describe po <name> | grep -i serviceaccount A2

Tanumoy Ghosh:
Let me clarify a bit more:

I am adding serviceaccount to the pod yaml as: (not used serviceAccount: myuser)
serviceAccountName: myuser

Describe po says:

$ kubectl describe po nginx
Name:         nginx
Namespace:    default
Priority:     0
Node:         kubenode02/
Start Time:   Wed, 26 May 2021 19:08:48 +0000
Labels:       run=nginx
Annotations:  &lt;none&gt;
Status:       Running
    Container ID:   <docker://0450fe71ca874f50c9ba6ee3be81df64247887dc3107d4b1b4b0b1d19e62535>4
    Image:          nginx
    Image ID:       <docker-pullable://nginx@sha256:09>ef025c198b8ae64d9bb08e00e072180d06c2ace866ebff749d1141b34ef420
    Port:           &lt;none&gt;
    Host Port:      &lt;none&gt;
    State:          Running
      Started:      Wed, 26 May 2021 19:08:55 +0000
    Ready:          True
    Restart Count:  0
    Environment:    &lt;none&gt;
      /var/run/secrets/ from kube-api-access-mcgwv (ro)
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       &lt;nil&gt;
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              &lt;none&gt;
Tolerations:                 <|> op=Exists for 300s
                             <|> op=Exists for 300s
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  61s   default-scheduler  Successfully assigned default/nginx to kubenode02
  Normal  Pulling    45s   kubelet            Pulling image "nginx"
  Normal  Pulled     40s   kubelet            Successfully pulled image "nginx" in 4.897529051s
  Normal  Created    40s   kubelet            Created container nginx
  Normal  Started    39s   kubelet            Started container nginx

Tanumoy Ghosh:
It might be machine-dependent thing:

When I tried implementing serviceAccount in Katacoda, it’s clearly justifying:

Describe po says:

      /var/run/secrets/ from namaste-token-c8hq5 (ro)

Describe sa gives same token:

Mountable secrets:   namaste-token-c8hq5
Tokens:              namaste-token-c8hq5