You can use specialized ServiceAccounts with restricted permissions to allow containers to access the Kubernetes API.
- Every namespace has a default service account.
- Each service account has a matching secret object, which has a token.
- When a pod is created, a service account token is mounted automatically.
- The pod is accessing Kubernetes APIs using the mounted service account token.