feat: enable/disable automountServiceAccountToken at Pod level

[darkweaver87]

Description

Some people may want to disable mounting API credentials at ServiceAccount level but still want controller Pod to have automatically access to resources defined in RBACs.
This PR makes it customizable.

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[k8s-ci-robot]

Hi @darkweaver87. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: darkweaver87
Once this PR has been reviewed and has the lgtm label, please assign m00nf1sh for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[oliviassss]

I would have the default value as false to avoid changing existing user behavior.

[darkweaver87]

OK :-) done

[oliviassss]

Sorry, I've taken a further look here, looks like the automountServiceAccountToken is an opt-out for both pod and SA: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting. And if automountServiceAccountToken is specified both on pod and SA level, the pod level one will take precedence.

I'm just trying to avoid breaking change to existing users here. Do you mind changing the automountServiceAccountToken at pod level to an if condition? If it's specified in the values.yaml, we populate in the manifest, otherwise leave it blank. And in the values.yaml let's just comment out this entry.

[darkweaver87]

Yes you're right. I applied your recommendation without thinking. The default in kubernetes, if not explicitly set, is true for both Pod and ServiceAccount.
Usually I set it to false at ServiceAccount level to avoid automatic mount and true at Pod level to allow pods which really need it. It's particularly useful for the default service account in a namespace.
Some security tools check for this: https://hub.armosec.io/docs/c-0034.
Actually, at first, I wanted to make it not configurable. What do you think about removing the value and just set it hardly to false at ServiceAccount level and true at Pod level ? It won't be breaking in anyway except if people is using aws-load-balancer-controller ServiceAccount for another purpose that this helm chart ...
Or maybe another option might be to have a setAutomountServiceAccountToken which if is true set it to the values I was mentioning previously.

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.