Kubernetes Service Account details

To create a Service Account use the following command:

kubectl create sa app-sa

When the Service Account is created it also creates a token automatically. The Service Account token is what might be used by the external application while authenticating to the Kubernetes API. The token is stored as a Secret Object - you can see it in describe command:

kubectl describe sa app-sa

To view the token use the command to describe respective secret:

kubectl describe secret app-sa-token-ookeb

If your 3rd party application is hosted on the Kubernetes cluster itself, then the above process might be simplified by automatically mount secret token as volume to the application Pod.
The default Service Account in each namespace is automatically mounted as secret volume to each Pod in that namespace. You can see it by describing the Pod and check the line:

Mounts:
    /var/run/secrets/kubernetes.io/serviceaccount from default-token-u8ea7 (ro)

If you want to view the token use the following command:

kubectl exec -it my-app cat /var/run/secrets/kubernetes.io/serviceaccount/token

The default Service Account is very restrictive, it only has few permissions to accesss the API. If you want to use another Service Account for Pod - include it in Pod definition spec.serviceAccountName:

spec:
  serviceAccountName: app-sa
...

You cannot modify Service Account of an existing Pod, you must delete and recreate the Pod. In case of Deployment, the Pods will be automatically recreated.

Also, you might choose to not to mount Service Account automatically by using the option spec.automountServiceAccountToken:

spec
  automountServiceAccountToken: false
...