AutomountServiceAccountToken default behavior

[dacappo]

Description

The current implementation of the secure-by-default behavior for token auto-mounts should be moved from Pods to ServiceAccounts. Instead of mutating the Pod resources, the default of automountServiceAccountToken in ServiceAccount resources should be changed from true to false. An overview of the expected behavior between ServiceAccount and Pod setting is given in the following table:

We have had a lengthy discussion on the automountServiceAccountToken issue today. It appears we might want something that we have not implemented and not thought of so far. Let's look at the automountServiceAccountToken setting which can be configured both on the service account and pod level. We have checked the non-obvious combinations and listed all of them in the table below:

#	service account	pod	k8s behavior	karydia behavior
1	true	true	true	true
2	false	true	true	true
3	true	false	false	false
4	false	false	false	false
5	not defined	not defined	true	false
6	not defined	true	true	true
7	not defined	false	false	false
8	true	not defined	true	true
9	false	not defined	false	false

User Story

As an admin I don't like to have not defined the automountServiceAccountToken property in ServiceAccount resources. Instead, not defined cases should default to automountServiceAccountToken: false.