Harden automountServiceAccountToken findings in Twistlock

General MR

Summary

Closes https://repo1.dso.mil/big-bang/bigbang/-/issues/1833

This MR leverages the mutating Kyverno policy named update-automountserviceaccounttokens to harden all ServiceAccounts in the twistlock namespace/package, and to place Pod exceptions where applicable (depending if the application truly needs access to the K8s API).

Justification for Pod exceptions are placed in comments alongside the code.

Manual testing according to the packages' DEVELOPMENT_MAINTENANCE.md has shown no loss of functionality. Pipeline tests are passing.

chart/templates/kyverno-policies/values.yaml

@@ -675,6 +675,7 @@ policies:
     namespaces:
       - istio-system
       - istio-operator
+      - twistlock
  
   update-automountserviceaccounttokens:
     enabled: true
@@ -695,6 +696,22 @@ policies:
         pods:
         - istiod-*
         - istio-operator-*
+      - namespace: twistlock
+        serviceAccounts:
+        - twistlock-console
+        - twistlock-init
+        - volume-upgrade-svc-acct
+        - twistlock-service
+        pods:
+        # twistlock-init pods require get/list/patch/etc to several resources. 
+        # More details in twistlock/chart/templates/init/clusterrole.yaml
+        - twistlock-init-*
+        # twistlock-volume-upgrade-job requires patch/get/list/update to deployments and get/list to pods
+        # More details in twistlock/chart/templates/init/volume-upgrade-role.yaml
+        - twistlock-volume-upgrade-job
+        # Twistlock Defender enforces various policies that may involve the K8s cluster itself
+        # Enforcing said policies requires access to the API to get/list resources
+        - twistlock-defender-ds-*
 istio:
   enabled: {{ .Values.istio.enabled }}