Why are ServiceAccounts usually created for each application in a Helm release


There is a little back story to this question which you might or might not want to skip…


We have teams of developers that need to access their own namespace, and CI jobs that need to deploy stuff to these namespaces. I’ve been working on making our roles in our cluster more limited for our users, so one of the APIs I removed was core/serviceaccounts as I didn’t see a use for them in our workloads.

However, this change borked our deployments for a while because the existing Helm releases actually created a ServiceAccount each time, which I didn’t know. So now I’m investigating why they were created in the first place.

I noticed it was a common pattern for Helm releases to create their own ServiceAccount. I see it when creating a new Helm chart with helm create. Some popular charts also do it (for example bitnami mariadb or prometheus) while others don’t (for example mattermost or bitnami wordpress).

Every time I see this pattern the service account isn’t even bound to a role, so what’s the rationale behind this? And am I being overzealous trying to remove unnecessary ServiceAccounts and restricting roles to create them?