What it is: The relationship between a Pod and the Kubernetes Service Account (SA) it uses.

What it’s for:

• Decide which identity the Pod uses inside Kubernetes.
• Enable mapping from Pod → SA → IAM Role (with IRSA).

Key ideas:

• A Pod specifies `serviceAccountName`.
• If not set, it uses the namespace default service account.
• Best practice: create a dedicated SA per microservice that needs distinct permissions.

Exam cues:

• “separate permissions per microservice” → separate service accounts.

Hard words:

• *binding* /ˈbaɪndɪŋ/: sự gắn kết/liên kết
• *dedicated* /ˈdedɪkeɪtɪd/: chuyên dụng, riêng biệt