Unresolved ServiceAccount reference in container

ServiceAccounts grant Kubernetes API permissions to workloads. This validator detects when a ServiceAccount referred in a workload is not found.

Affected Resources: Deployment, DaemonSet, StatefulSet, CronJob, Job, ReplicaSet, Pod

Examples

kind: Deployment
spec:
  template:
    spec:
      serviceAccountName: build-robot    # Service Account not found
...

apiVersion: v1
kind: ServiceAccount
metadata:
  name: robot                            # Different name

Resolution

Check if the ServiceAccount is present in the same namespace.

Check if the ServiceAccount is present in a different namespace. Kubevious Search can be a very handy tool to find ServiceAccounts across namespaces. You cannot mount a ServiceAccount from a different namespaces. In that case you would need to create a ServiceAccount in namespace where the workload resides.

Did you make a typo in the workload? Kubevious Search uses fuzzy logic to return results and can help with finding the correct ServiceAccount.

Learn More

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Unresolved ServiceAccount reference in Binding

Unused Role

Need other validation rules?

Please let us know if there are other built-in validation rules you would like to see in Kubevious to detect misconfigurations and violations to best practices. Optionally, you can provide your details so we can reach out to you with follow-up questions.

Share this article on: