Manually mount serviceAccount token

[Aransh]

Subject
Disables "automountServiceAccountToken", instead manually mounts it as a projected volume where necessary

Problem
By default, kubernetes enables "automountServiceAccountToken" for all pods.
This poses a security risk, as pods might get kube-api permissions unintentionally.
More specifically, this fails security compliance tests:
https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
https://www.azadvertizer.net/azpolicyadvertizer/kubernetes_block-automount-token.html

Solution
Disable "automountServiceAccountToken", create projected volume for the token, and mount it on relevant containers

Validation
Linkerd pods are able to access k8s API, work as expected (same as before)

Fixes #13108

[alpeb]

Thanks @Aransh, this makes sense to me 👍
Could you also implement this for the viz, multicluster and jaeger extensions charts? Note that not all workloads there need to connect to the kube-api so mounting wouldn't always be necessary. Let me know if you need more assistance to figure that out.
Don't worry about the linkerd2-cni chart though, as there currently are other concerns that we need to address (linkerd/linkerd2-proxy-init#416).

[Aransh]

@alpeb I can gladly add that, but I don't currently use any of them, so would be difficult to figure out what’s required...
Could you help with pointing out which containers need kube-api access and which don't?

Also I need to see if I can figure out what's causing the CI to fail currently, will try and take a look next week

[alpeb]

Thanks again for the help @Aransh ! Here's the info you need:

• In the linkerd-viz and linkerd-jaeger charts, all workloads require kube-api access
• In multicluster's linkerd-multicluster chart, the gateway workload does not require kube-api access but the namespace-metadata one does
• In multicluster's linkerd-multicluster-link chart, the service-mirror workload requires kube-api access

BTW, CI had one flaky test, but it's looking good now 👍

[Aransh]

Thanks for the CI clarification 😃

When you say "workload", you mean pod essentially? Keep in mind the token mounting is done per container, or do these workloads all have a single container?

If not/you’re not sure, I can just mount it to all containers, I'd just prefer to do it as precise as I can
For the linkers-control-plane for instance non of the init containers required it, and some of the containers too

[alpeb]

Yeah these are all single-container pods (not counting the proxy and init containers, which don't require any changes).

[Aransh]

Got it, will mount on all containers except init and proxy then, probably will handle Tuesday.
Thanks!

[Aransh]

@alpeb Updated for linkerd-viz, linkerd-jaeger, linkerd-multicluster, and linkerd-multicluster-link as you requested.
I want to mention again I have not tested these as I don't use these charts, but they should see no difference as they all have the token manually mounted, except for the "linkerd-multicluster" gateway workload

[Aransh]

I see it's failing for mismatch with templates again, but running go test ./cli/cmd/... --update as mentioned in docs doesn't seem to change anything after my latest commits... Am I missing something?

[alpeb]

Turns out those docs are outdated... the right command is go test ./... -update

[alpeb]

This looks good to me, pending the remaining golden files updates 👍

[Aransh]

@alpeb updated