KKloud TarusKKloud Tarus
  • Blog
  • Series
  • Team
  • About

Blog

Thoughts on engineering, design, and building great products.

SeriesAll postsServiceAccountAIAPFAPIAPI GatewayARPAWSAdmissionAffinityAggregationAnsibleAppArmorArchitectureAuthenticationAuthorization
ServiceAccount and Bound Tokens
DevOpsSecurity

ServiceAccount and Bound Tokens

Articles 51–52 used ServiceAccount without dissecting it. This article gets into the mechanism: every namespace has a default SA, the kubelet auto-injects a short-lived token via a projected volume, and that token is bound to the exact pod and node. To prove it's truly bound, we grab the token in a running pod, call the API successfully, then delete the pod — the old token immediately becomes 401. Plus how to turn off auto-mount and read the JWT claims.

K
KaiMay 24, 2026· 27 views
KKloud TarusKKloud Tarus

Explore. Build. Share.

  • Blog
  • Team
  • About
© 2026 KKloud Tarus. All rights reserved.