What is service account token? Service Account Token is one of the authorization methods in the Kubernetes API, an alternative to the Static Token File and client certificates. To obtain the token, you need to create a service account (ServiceAccount) and associate it with the cluster role.
Can a pod have multiple service accounts? Use Multiple Service Accounts
To use a non-default service account, set the spec. serviceAccountName field of a pod to the name of the service account you wish to use. The service account has to exist at the time the pod is created, or it will be rejected.
Where is service account token? If a long-running service is created as a pod in your cluster, the service account token is mounted on the pod. You can use this service account token that is available in the pod to access the API server. For more information, see Obtaining the service account token from the pod.
Do service account tokens expire? A ServiceAccountToken acquired from kube-apiserver via TokenRequest API. It will expire after 1 hour by default or when the pod is deleted. It is bound to the pod and has kube-apiserver as the audience.