Service Account Security: Tokens, RBAC Binding, and Workload Identity

Calendar February 22, 2026
Kubernetes
Intermediate, Advanced
Service-Account-Hardening, Workload-Identity-Configuration, Token-Management, Rbac-Binding
Service-Accounts, Security, Rbac, Workload-Identity, Tokens, Iam
Kubectl, Gcloud, Aws, Az

Service Account Security#

Every pod in Kubernetes runs as a service account. By default, that is the default service account in the pod’s namespace, with an auto-mounted API token that never expires. This default configuration is overly permissive for most workloads. Hardening service accounts is one of the highest-impact security improvements you can make in a Kubernetes cluster.

The Default Problem#

When a pod starts without specifying a service account, Kubernetes does three things: