service-account-pod.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-pod-read
namespace: default
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: service-account-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: service-account-pod-read
roleRef:
kind: Role
name: role-pod-read
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: service-account-pod-read
namespace: default
---
apiVersion: v1
kind: Pod
metadata:
name: service-account-pod
namespace: default
spec:
containers:
- command: ["/bin/bash", "-c", "apt update -y -qq && apt install -qq -y curl && curl -s https://kubernetes:443/api/v1/namespaces/default/pods --header \"Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" --insecure && sleep 3600"]
image: ubuntu
name: pods-simple-container
serviceAccount: service-account-pod-read