Restrict auto-mount of service account token in service account

[michalschott]

Fixes #N/A

Description
Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. The ServiceAccount may be assigned roles allowing Pods to access API resources. Blocking this ability is an extension of the least privilege best practice and should be followed if Pods do not need to speak to the API server to function.

Obviously Karpenter relies on this, so token is mounted to it's pods (set on deployment level).

How was this change tested?
Custom EKS cluster

Does this change impact docs?

• Yes, PR includes docs updates
• Yes, issue opened: #
• No

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[netlify]

✅ Deploy Preview for karpenter-docs-prod canceled.

Name	Link
🔨 Latest commit	38869c9
🔍 Latest deploy log	https://app.netlify.com/sites/karpenter-docs-prod/deploys/67a998f709e4d70008920579

[jonathan-innis]

LGTM 🚀

[jonathan-innis]

Makes sense to me!

[jonathan-innis]

/karpenter snapshot

[coveralls]

Pull Request Test Coverage Report for Build 13234701530

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 64.766%

---

Totals
Change from base Build 13213523731:	0.0%
Covered Lines:	5803
Relevant Lines:	8960

---

💛 - Coveralls

[jonathan-innis]

/karpenter snapshot