What's the purpose of a pod's service account, if automountServiceAccountToken is set to false?

Question

The API credentials for service accounts are normally mounted in pods as:

/var/run/secrets/kubernetes.io/serviceaccount/token

This token allows containerized processes in the pod to communicate with the API server.

What's the purpose of a pod's service account (serviceAccountName), if automountServiceAccountToken is set to false?

Answer 1

A little of theory:

Let's start with what happens when pod should be created.

When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace

Reference.

So all pods are linked to service account anyway (default or specified in spec).

Then API access token is always generated for each service account.

automountServiceAccountToken flag defines if this token will automatically mounted to the pod after it has been created.

There are two options where to set this flag:

• In a specific service account

  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: build-robot
  automountServiceAccountToken: false
  ...
  

• In a specific pod

  apiVersion: v1
  kind: Pod
  metadata:
    name: my-pod
  spec:
    serviceAccountName: build-robot
    automountServiceAccountToken: false
    ...
  

---

Answer:

What's the purpose of a pod's service account (serviceAccountName), if automountServiceAccountToken is set to false?

It may make a difference depending on what processes are involved in pod creation. Good example is in comments in GitHub issue (where this flag eventually came from):

There are use cases for still creating a token (for use with external systems) or still associating a service account with a pod (for use with image pull secrets), but being able to opt out of API token automount (either for a particular pod, or for a particular service account) is useful.