When a new namespace is created in kubernetes the ServiceAccount contoller and Token controller create a default service account and a corresponding ServiceAccount token Secret to allow API access.
apiVersion: v1
items:
- apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: dev
secrets:
- name: default-token-lrvlp # secret used by the service account
- apiVersion: v1
data:
ca.crt: $CA
namespace: ZGV2
token: $TOKEN
kind: Secret
metadata:
annotations:
kubernetes.io/service-account.name: default
name: default-token-lrvlp
namespace: dev
type: kubernetes.io/service-account-token
kind: List
When a pod is created the controller configures the pod to use the serviceAccount. All good till now. But it also mounts the secret contents inside the pod:
serviceAccountName: default
volumes:
- name: kube-api-access-fcdwf
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
The pod is already authenticated as a default Service Account which uses the secret. So why is the secret mounted again inside the pod ?