Mitigate automountServiceAccountToken findings in flux-system and bigbang namespaces

General MR

Summary

Closes #1855 and #1856

This MR hardens all ServiceAccounts present in the flux-system namespace, but overrides this behavior at the pod-spec level since Flux requires heavy access to the Kubernetes API.

The changes are made via Kustomize patches in kustomization.yaml (similar to how we patch in container resource constraints) because the gotk-components.yaml is programmatically generated by Flux and cannot be edited.

This MR also hardens the default ServiceAccount in the flux-system and bigbang namespaces via the mutating Kyverno policy named update-automountserviceaccounttokens-default. This is a minute change, since no resources actually utilize those ServiceAccounts, but it removes two Kyverno policy violations.

Upgrade Notices

N/A

base/flux/kustomization.yaml

@@ -53,6 +53,15 @@ patches:
                     drop:
                       - ALL
                   $patch: replace
+  - target:
+      kind: ServiceAccount
+      name: helm-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: helm-controller
+      automountServiceAccountToken: false
   - target:
       kind: Deployment
       name: helm-controller
@@ -64,6 +73,7 @@ patches:
       spec:
         template:
           spec:
+            automountServiceAccountToken: true
             containers:
             - name: manager
               resources:
@@ -73,6 +83,15 @@ patches:
                 requests:
                   cpu: 900m
                   memory: 1Gi
+  - target:
+      kind: ServiceAccount
+      name: kustomize-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: kustomize-controller
+      automountServiceAccountToken: false
   - target:
       kind: Deployment
       name: kustomize-controller
@@ -84,6 +103,7 @@ patches:
       spec:
         template:
           spec:
+            automountServiceAccountToken: true
             containers:
             - name: manager
               resources:
@@ -93,6 +113,15 @@ patches:
                 requests:
                   cpu: 300m
                   memory: 600Mi
+  - target:
+      kind: ServiceAccount
+      name: notification-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: notification-controller
+      automountServiceAccountToken: false
   - target:
       kind: Deployment
       name: notification-controller
@@ -104,6 +133,7 @@ patches:
       spec:
         template:
           spec:
+            automountServiceAccountToken: true
             containers:
             - name: manager
               resources:
@@ -113,6 +143,15 @@ patches:
                 requests:
                   cpu: 100m
                   memory: 200Mi
+  - target:
+      kind: ServiceAccount
+      name: source-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+      automountServiceAccountToken: false
   - target:
       kind: Deployment
       name: source-controller
@@ -124,6 +163,7 @@ patches:
       spec:
         template:
           spec:
+            automountServiceAccountToken: true
             containers:
             - name: manager
               resources: