====== Kubernetes Service Account ======

**What it is:** An identity for processes running in a pod in Kubernetes.

**What it’s for:**
  * Provide pod-level identity inside Kubernetes.
  * When combined with IRSA, map pods to AWS IAM roles.

**Key ideas:**
  * Not the same as IAM user/role, but can be mapped to them (IRSA).
  * Used for least privilege at pod level.

**Exam cues:**
  * “pod identity” → service account.
  * “different permissions per microservice pod” → different service accounts + IRSA.

**Hard words:**
  * *identity* /aɪˈdentəti/: danh tính
  * *map* /mæp/: ánh xạ