In Kubernetes, applications that need to interact with the Kubernetes API should never use a developer’s personal credentials. Instead, Kubernetes provides a built-in, secure, and auditable mechanism for workload authentication and authorization using ServiceAccounts. Creating a dedicated ServiceAccount and binding it to the Pod is the correct and recommended approach, making option A the correct answer.
A ServiceAccount represents an identity for processes running inside Pods. When a Pod is configured to use a specific ServiceAccount, Kubernetes automatically injects a short-lived authentication token into the Pod. This token is securely mounted and can be used by the application to authenticate to the Kubernetes API server. Access to API resources is then controlled using RBAC (Role-Based Access Control) by binding roles or cluster roles to the ServiceAccount, ensuring the application has only the permissions it needs—following the principle of least privilege.
Option B is incorrect because manually generating certificates for application access is not the standard or recommended method for in-cluster authentication. Kubernetes manages ServiceAccount tokens automatically and rotates them as needed, providing a simpler and more secure solution. Option C is incorrect because using a developer’s kubeconfig file inside an application introduces serious security risks and violates best practices by coupling workloads to personal credentials. Option D is also incorrect because relying on the default ServiceAccount is discouraged; it often has no permissions or, in some cases, broader permissions than intended. Creating a dedicated ServiceAccount provides clearer security boundaries and auditability.
Using ServiceAccounts integrates cleanly with Kubernetes’ authentication and authorization model and is explicitly designed for applications and controllers running inside the cluster. This approach ensures secure API access, centralized permission management, and operational consistency across environments.
Therefore, the correct and verified answer is Option A: Create a ServiceAccount and bind it to the Pod for API access.
