KKloud TarusKKloud Tarus
  • Blog
  • Series
  • Team
  • About

Blog

Thoughts on engineering, design, and building great products.

SeriesAll postsAIAPFAPIAPI GatewayARPAWSAdmissionAffinityAggregationAnsibleAppArmorArchitectureAuthenticationAuthorization
ServiceAccount and Bound Tokens
DevOpsSecurity

ServiceAccount and Bound Tokens

Articles 51–52 used ServiceAccount without dissecting it. This article gets into the mechanism: every namespace has a default SA, the kubelet auto-injects a short-lived token via a projected volume, and that token is bound to the exact pod and node. To prove it's truly bound, we grab the token in a running pod, call the API successfully, then delete the pod — the old token immediately becomes 401. Plus how to turn off auto-mount and read the JWT claims.

K
KaiMay 24, 2026· 27 views
Authentication and the Path Into the API...
DevOpsSecurity

Authentication and the Path Into the API Server

Every kubectl command is an HTTPS request to the API server, and before it touches data it must pass three stages: authentication, authorization, admission. This article opens Part XI with the first stage — the API server figuring out who you are. We examine the three ways our self-built cluster authenticates a request: client certificate (the one admin.kubeconfig uses), ServiceAccount token, and anonymous request — using kubectl auth whoami and real commands on the cluster.

K
KaiMay 24, 2026· 20 views
KKloud TarusKKloud Tarus

Explore. Build. Share.

  • Blog
  • Team
  • About
© 2026 KKloud Tarus. All rights reserved.