Only enable ServiceAccounts for some pods in Kubernetes


I use the Kubernetes ServiceAccount plugin to automatically inject a ca.crt and token in to my pods. This is useful for applications such as kube2sky which need to access the API Server.

However, I run many hundreds of other pods that don't need this token. Is there a way to stop the ServiceAccount plugin from injecting the default-token in to these pods (or, even better, have it off by default and turn it on explicitly for a pod)?

-- Andy Smith

2 Answers


As of Kubernetes 1.6+ you can now disable automounting API credentials for a particular pod as stated in the Kubernetes Service Accounts documentation

apiVersion: v1
kind: Pod
  name: my-pod
  serviceAccountName: build-robot
  automountServiceAccountToken: false
-- Hans Kristian
Source: StackOverflow


Right now there isn't a way to enable a service account for some pods but not others, although you can use ABAC to for some service accounts to restrict access to the apiserver.

This issue is being discussed in and I'd encourage you to add your use can to that issue and see when it will be implemented.

-- Robert Bailey
Source: StackOverflow