How are service accounts supposed to be used? Should we create one service account per container? Is there any concept equivalent to "user group" in order to group service accounts?
Service Accounts are used by Pods to get access to Kubernetes API or Secrets. When a Pod is created, it gets a Service Account. The default Service Account for the same namespace is assigned to a Pod automatically. It can be specified in a description for Pod. Here you can find some examples: Configure Service Accounts for Pods
How are service accounts supposed to be used?
If you want to configure permissions different from the default, you need to use Service Accounts.
Should we create one service account per container?
In Kubernetes, a Pod is a set of one or more containers.
You can create one Service Account and assign it to the first set of Pods. After that, create another Service Account with different permissions and assign it to the second set of Pods.
Is there any concept equivalent to "user group" in order to group service accounts?
There is no such equivalent. But in terms of "user", "group", "role", we can say that Service Account is like a "role" for a Pod.
For more information, you can look through these links: