Let's say I set up a fresh Kubernetes cluster. I assume the both kube-system and default namespaces will get a service account named default? Which permissions does that service account have? Full read/write permissions?
I'm essentially asking this to understand best practises to give a custom Go controller write access to resources.
Service accounts have no inherent permissions. The permissions they have depend entirely on the authorization mode configured (--authorization-mode flag passed to the apiserver)
Defining RBAC roles is a good method for specifying the permissions required for a controller.
There are existing role definitions for in-tree controllers at https://github.com/kubernetes/kubernetes/tree/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy