4. service_accounts.
md 2025-08-20
A user represents a real person who commonly interacts with the Kubernetes cluster using the kubectl
executable or the UI dashboard. Some service applications like Helm running inside of a Pod need to
interact with the Kubernetes cluster by making requests to the API server via RESTful HTTP calls.
A Kubernetes cluster already comes with a ServiceAccount, the default ServiceAccount that lives in the
default namespace. Any Pod that doesnʼt explicitly assign a ServiceAccount uses the default
ServiceAccount.
kubectl get serviceaccounts
# List all ServiceAccounts in the current namespace
kubectl create serviceaccount build-bot
# Create a new ServiceAccount named 'build-bot'
Upon object creation, the API server creates a Secret holding the API token and assigns it to the
ServiceAccount. The Secret and token names use the ServiceAccount name as a prefix.
Default
ClusterRole Description
cluster-admin Allows read and write access to resources across all namespaces.
admin Allows read and write access to resources in namespace including Roles and
RoleBindings.
edit Allows read and write access to resources in namespace except Roles and
RoleBindings. Provides access to Secrets.
view Allows read-only access to resources in namespace except Roles, RoleBindings, and
Secrets.
kubectl create role read-only --verb=list,get,watch \
--resource=pods,deployments,services
# Create a Role named 'read-only' with list, get, and watch permissions on
pods, deployments, and services
kubectl get roles
# List all Roles in the current namespace
kubectl describe role read-only
# Show detailed information about the 'read-only' Role
1/3
�4. service_accounts.md 2025-08-20
kubectl create rolebinding read-only-binding --role=read-only --
user=johndoe
# Bind the 'read-only' Role to the user 'johndoe'
kubectl get rolebindings
# List all RoleBindings in the current namespace
kubectl describe rolebinding read-only-binding
# Show detailed information about the 'read-only-binding' RoleBinding
kubectl config current-context
# Display the current kubectl context
kubectl create deployment myapp --image=nginx --port=80 --replicas=2
# Create a deployment named 'myapp' with 2 replicas of the nginx image
kubectl config use-context johndoe-context
# Switch kubectl to use the 'johndoe-context'
kubectl get deployments
# List all deployments in the current namespace
kubectl get replicasets # error out
# Attempt to list ReplicaSets (may error out if permissions are
insufficient)
kubectl delete deployment myapp
# Attempt to delete the 'myapp' deployment
Error from server (Forbidden): deployments.apps "myapp" is forbidden: User
\
"johndoe" cannot delete resource "deployments" in API group "apps" in the
2/3
�4. service_accounts.md 2025-08-20
\
namespace "default"
# Error message indicating 'johndoe' does not have permission to delete
deployments
kubectl auth can-i --list --as johndoe
# List all permissions for the user 'johndoe'
To define a cluster-wide Role, use the imperative subcommand clusterrole or the kind
ClusterRole in the YAML manifest.
To define a cluster-wide RoleBinding, use the imperative subcommand clusterrolebinding or the
kind ClusterRoleBinding in the YAML manifest.
kubectl describe clusterroles pods-services-aggregation-rules -n rbac-
example
# Show details of the 'pods-services-aggregation-rules' ClusterRole in the
'rbac-example' namespace
3/3
