Create a Pod running Nginx image:

kubectl run simple-pod --image=nginx

You can use o yaml to get the YAML representation of the Pod, like this: kubectl get po simple-pod -o yaml. If you look through the output, you will notice the following line:

serviceAccountName: default

Even though we haven't explicitly set the service account name, Kubernetes assigned the default service account to the Pod.

Let's run kubectl describe serviceaccount default or kubectl describe sa default to see the details of the default service account:

$ kubectl describe sa default
Name:                default
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   default-token-qjdzv
Tokens:              default-token-qjdzv
Events:              <none>

Let's invoke the Kubernetes API using the service account token. First, we will get a shell inside the container:

$ kubectl exec -it simple-pod -- /bin/bash
root@simple-pod:/#

We will store the auth token in the TOKEN variable, so we can use it when invoking the API:

$ TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

If you're curious about the encoded information in the token, you can head to https://jwt.io and decode your token to look at the payload. Here's how the payload for my token looks like:

{
  "iss": "kubernetes/serviceaccount",
  "kubernetes.io/serviceaccount/namespace": "default",
  "kubernetes.io/serviceaccount/secret.name": "default-token-5h8g8",
  "kubernetes.io/serviceaccount/service-account.name": "default",
  "kubernetes.io/serviceaccount/service-account.uid": "d75bbef1-cb26-48fc-8a4e-511fd112c864",
  "sub": "system:serviceaccount:default:default"
}

We will use the TOKEN as the bearer token and invoke the Kubernetes API. The Kubernetes API is exposed through the Service called kubernetes in the default namespace.

Here's how we can try and invoke the API from within the container: