How kubernetes Service Account operates

A frequent query that often arises, particularly within DevOps contexts, pertains to the permissions possessed by Kubernetes service accounts.

You might have a service account assigned to pods either by your own team or a platform team. It’s crucial to ascertain the level of access that a service account has, particularly concerning actions like deleting pods, listing namespaces, or removing deployments.

Here’s a straightforward method for conducting this assessment: make use of the “kubectl auth can-i” command.

For instance, if you wish to determine whether the “api-service-account” within the “devops-tools” namespace is capable of deleting deployments, you can open your terminal and enter the following command:

kubectl auth can-i delete deployments --as=system:serviceaccount:devops-tools:api-service-account