When we (humans) try to access a Kubernetes cluster with RBAC enabled, we are authenticated as users. Our username provides an identity that API server uses to decide whether we are allowed to perform intended actions. Similarly processes running inside containers might also need to access the API. In such cases, they are authenticated as a specific ServiceAccount.
ServiceAccounts provide a mechanism to grant permissions to processes running inside containers. In many ways, ServiceAccounts are very similar to RBAC users or groups. With humans, we use RoleBindings and ClusterRoleBindings to relate users and groups to Roles and ClusterRoles. When working with processes, the main difference is in the name and the scope. Instead of users or groups, we create ServiceAccounts which we bind to roles. However, unlike users that can be global, ServiceAccounts are tied to specific Namespaces.
We won't go into any more theory. Instead, we'll try to learn different aspects of ServiceAccounts through hands-on examples.