====== Pod ↔ Service Account Binding ======

**What it is:** The relationship between a Pod and the Kubernetes Service Account (SA) it uses.

**What it’s for:**
  * Decide which identity the Pod uses inside Kubernetes.
  * Enable mapping from Pod → SA → IAM Role (with IRSA).

**Key ideas:**
  * A Pod specifies `serviceAccountName`.
  * If not set, it uses the namespace default service account.
  * Best practice: create a dedicated SA per microservice that needs distinct permissions.

**Exam cues:**
  * “separate permissions per microservice” → separate service accounts.

**Hard words:**
  * *binding* /ˈbaɪndɪŋ/: sự gắn kết/liên kết
  * *dedicated* /ˈdedɪkeɪtɪd/: chuyên dụng, riêng biệt