Service account documentation.

Fixes #9344. Depends on #9821. Update Secrets documentation to explain how secrets can be created/used manually, or automatically with service accounts. Greatly expanded service account documentation. Added a service account admin guide. Lots of cross-references.
2025-09-08 04:32:37 +00:00 · 2015-05-21 13:25:20 -07:00
parent 51e0647f41
commit 0b4ced80a7
5 changed files with 275 additions and 35 deletions
--- a/docs/accessing-the-cluster.md
+++ b/docs/accessing-the-cluster.md
@@ -102,10 +102,10 @@ the `kubernetes` DNS name, which resolves to a Service IP which in turn
 will be routed to an apiserver.

 The recommended way to authenticate to the apiserver is with a
-[service account](../docs/service_accounts.md).  By default, a pod
+[service account](service_accounts.md) credential.  By default, a pod
 is associated with a service account, and a credential (token) for that
 service account is placed into the filesystem tree of each container in that pod,
-at `/var/run/secrets/kubernetes.io/serviceaccount`.
+at `/var/run/secrets/kubernetes.io/serviceaccount/token`.

 From within a pod the recommended ways to connect to API are:
  - run a kubectl proxy as one of the containers in the pod, or as a background
@@ -115,6 +115,7 @@ From within a pod the recommended ways to connect to API are:
    in a pod](../examples/kubectl-container/).
  - use the Go client library, and create a client using the `client.NewInContainer()` factory.
    This handles locating and authenticating to the apiserver.
+In each case, the credentials of the pod are used to communicate securely with the apiserver.


 ## <a name="otherservices"></a>Accessing services running on the cluster