The API credentials for service accounts are normally mounted in pods as:
/var/run/secrets/kubernetes.io/serviceaccount/token
This token allows containerized processes in the pod to communicate with the API server.
What's the purpose of a pod's service account (serviceAccountName), if automountServiceAccountToken is set to false?
A little of theory:
Let's start with what happens when pod should be created.
When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace
So all pods are linked to service account anyway (default or specified in spec).
Then API access token is always generated for each service account.
automountServiceAccountToken flag defines if this token will automatically mounted to the pod after it has been created.
There are two options where to set this flag:
In a specific service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: false
...
In a specific pod
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: false
...
Answer:
What's the purpose of a pod's service account (serviceAccountName), if automountServiceAccountToken is set to false?
It may make a difference depending on what processes are involved in pod creation. Good example is in comments in GitHub issue (where this flag eventually came from):
There are use cases for still creating a token (for use with external systems) or still associating a service account with a pod (for use with image pull secrets), but being able to opt out of API token automount (either for a particular pod, or for a particular service account) is useful.