Harden automountServiceAccountToken findings in Twistlock
General MR
Summary
Closes https://repo1.dso.mil/big-bang/bigbang/-/issues/1833
This MR leverages the mutating Kyverno policy named update-automountserviceaccounttokens
to harden all ServiceAccounts in the twistlock
namespace/package, and to place Pod exceptions where applicable (depending if the application truly needs access to the K8s API).
Justification for Pod exceptions are placed in comments alongside the code.
Manual testing according to the packages' DEVELOPMENT_MAINTENANCE.md
has shown no loss of functionality. Pipeline tests are passing.