Interview Kubernetes, Docker, Helm & Podman

What is a ServiceAccount, and how do Pods use it to talk to the API server?

Kubernetes, Docker, Helm & Podman · Intermediate level

Answer

A ServiceAccount is the Kubernetes identity assigned to a Pod. Pods use projected ServiceAccount tokens to authenticate to the API server, and RBAC decides what that identity is allowed to do.

Technical explanation

Modern ServiceAccount tokens are projected, time-bound, and audience-scoped compared with older long-lived token Secrets.

Disable automountServiceAccountToken where Pods do not need API access.

Scheduling controls place workloads correctly; RBAC and ServiceAccounts decide what identities can do after placement.

Use labels consistently because Services, Deployments, affinities, policies, and topology spread all depend on label selection.

Every constraint should be testable with events: FailedScheduling, denied API calls, or observed placement.

Hands-on example

1. Create a lab namespace for this exercise with explicit labels, ServiceAccounts, roles, node labels, or taints: run a Pod with a scoped ServiceAccount and test kubectl auth can-i.

2. Use kubectl auth can-i, kubectl describe pod, and scheduling events to verify the expected decision.

3. Test a negative case, such as missing permission, missing toleration, or impossible affinity, and capture the exact error.

4. Convert the validated YAML into a reusable platform pattern with clear naming and labels.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More Kubernetes, Docker, Helm & Podman interview questions

← All Kubernetes, Docker, Helm & Podman questions