Resolve "Mitigate automountServiceAccountToken findings in promtail"

General MR

Mitigate automountServiceAccountToken findings in promtail

Summary

Automounting of service account token presents a risk to the cluster. This MR seeks to remedy this by disabling automounting on the service account while ignoring the finding on the pod to allow full functionality.

Closes https://repo1.dso.mil/big-bang/bigbang/-/issues/1831

chart/templates/kyverno-policies/values.yaml

@@ -693,6 +693,7 @@ policies:
       - anchore
       - fortify
       - vault
+      - promtail
 
   update-automountserviceaccounttokens:
     enabled: true
@@ -841,7 +842,12 @@ policies:
         - vault-vault
         - vault-vault-root-token-secret
         - vault-vault-agent-injector
-
+      - namespace: promtail 
+        serviceAccounts:
+        - promtail-promtail
+        pods:
+        - promtail-promtail-*
+        
 istio:
   enabled: {{ .Values.istio.enabled }}