Cluster Security

Service Accounts provide a way to authenticate users.
Each service account has a token, which is checked with API server.
Service account admission controller makes sure each new created pod without service account is assinged to the default service account of its namespace.
Service Account Controller makes sure to use the token generated by Token Controller and create default service account of namespace.

In order to gain depth defense, you need to take security in consideration through every layer of your cluster. like using App Armor for container level security.