I want to create a serviceaccount in Kubernetes with no permissions.
However, creating a new serviceaccount as follows results in a privileged serviceaccount, sa, that is able to e.g. retrieve pod information:
kubectl create serviceaccount sa -n devns
nlykkei:~/projects/k8s-examples$ kubectl get pods --as=system:serviceaccount:devns:sa -v6
I0318 16:12:34.161300 3466 loader.go:359] Config loaded from file: /Users/nlykkei/.kube/config
I0318 16:12:34.179023 3466 round_trippers.go:438] GET https://kubernetes.docker.internal:6443/api/v1/namespaces/default/pods?limit=500 200 OK in 11 milliseconds
I0318 16:12:34.179299 3466 get.go:564] no kind "Table" is registered for version "meta.k8s.io/v1beta1" in scheme "k8s.io/kubernetes/pkg/api/legacyscheme/scheme.go:30"
No resources found.
nlykkei:~/projects/k8s-examples$ kubectl auth can-i --list --as=system:serviceaccount:devns:sa
Resources Non-Resource URLs Resource Names Verbs
*.* [] [] [*]
[*] [] [*]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]How can I create a serviceaccount with no permissions initially?
DfM Kubernetes injects a ClusterRoleBinding called docker-for-desktop-binding which does indeed give all perms to everything.