Setting Up K9S with Kubernetes Service Accounts for Secure and Fast Cluster Access

The cluster was on fire with alerts, and you needed eyes on it faster than kubectl could type. That’s when K9S and Service Accounts show their real power.

K9S is the terminal UI for Kubernetes that makes navigating namespaces, pods, and resources instant. But to use it in a secure and automated way, you need Service Accounts. By linking K9S to a Kubernetes Service Account, you can give just enough permissions for the job without exposing cluster-wide admin keys.

A Service Account in Kubernetes is a non-human identity. It carries its own token and role bindings. When configured with a Role or ClusterRole using RBAC, it tells K9S exactly what it can and can’t touch. This is the foundation for least-privilege access.

To set up K9S with a Service Account:

Extract the Token and Create a Kubeconfig

SECRET_NAME=$(kubectl get sa k9s-sa -n your-namespace -o jsonpath='{.secrets[0].name}')
TOKEN=$(kubectl get secret $SECRET_NAME -n your-namespace -o jsonpath='{.data.token}' | base64 --decode)

Then build a kubeconfig pointing to your cluster with this token.

Bind the Service Account to a Role

kubectl create rolebinding k9s-rb \
 --clusterrole=view \
 --serviceaccount=your-namespace:k9s-sa \
 --namespace=your-namespace

Create the Service Account

kubectl create serviceaccount k9s-sa -n your-namespace

With this setup, K9S uses the Service Account credentials. You gain fast cluster insight while your RBAC rules limit access to exactly what’s needed. This is critical in multi-user clusters, CI/CD tooling, or any security-conscious environment.

K9S Service Accounts are not just about convenience. They define a clear, auditable boundary between what’s visible and what’s possible. They let you work faster without giving away keys to the kingdom.

Set up K9S with a Service Account now and see it live in minutes at hoop.dev.