What permissions does a pod have when accessing the Kubernetes API?

Question

The kubernetes documentation states the following under "Accessing the API from within a Pod":

The easiest way to use the Kubernetes API from a Pod is to use one of the official client libraries. These libraries can automatically discover the API server and authenticate.

I have pods running theia-ide, a cloud-based IDE, where each user can access the console for their container. Can they access the Kubernetes API from that container without authenticating?

score 1 · Accepted Answer · answered Aug 06 '20 at 23:09

I found some other documentation that explained things further. Apparently pods get assigned to the default service account, which (as I understand) does not come with any permissions by default. If a pod needs more permissions, you can create a custom service account with its own role bindings, and then assign the pod to use that service account instead of default using the spec.serviceAccountName property.

What permissions does a pod have when accessing the Kubernetes API?

1 Answers1