Merge pull request #37953 from liggitt/automount

Automatic merge from submit-queue (batch tested with PRs 37137, 41506, 41239, 41511, 37953)

Add field to control service account token automounting

Fixes https://github.com/kubernetes/kubernetes/issues/16779

* adds an `automountServiceAccountToken *bool` field to `ServiceAccount` and `PodSpec`
* if set in both the service account and pod, the pod wins
* if unset in both the service account and pod, we automount for backwards compatibility

```release-note
An `automountServiceAccountToken *bool` field was added to ServiceAccount and PodSpec objects. If set to `false` on a pod spec, no service account token is automounted in the pod. If set to `false` on a service account, no service account token is automounted for that service account unless explicitly overridden in the pod spec.
```

plugin/pkg/admission/serviceaccount/admission.go

@@ -222,7 +222,7 @@ func (s *serviceAccount) Admit(a admission.Attributes) (err error) {
 		}
 	}
 
-	if s.MountServiceAccountToken {
+	if s.MountServiceAccountToken && shouldAutomount(serviceAccount, pod) {
 		if err := s.mountServiceAccountToken(serviceAccount, pod); err != nil {
 			if _, ok := err.(errors.APIStatus); ok {
 				return err
@@ -239,6 +239,19 @@ func (s *serviceAccount) Admit(a admission.Attributes) (err error) {
 	return nil
 }
 
+func shouldAutomount(sa *api.ServiceAccount, pod *api.Pod) bool {
+	// Pod's preference wins
+	if pod.Spec.AutomountServiceAccountToken != nil {
+		return *pod.Spec.AutomountServiceAccountToken
+	}
+	// Then service account's
+	if sa.AutomountServiceAccountToken != nil {
+		return *sa.AutomountServiceAccountToken
+	}
+	// Default to true for backwards compatibility
+	return true
+}
+
 // enforceMountableSecrets indicates whether mountable secrets should be enforced for a particular service account
 // A global setting of true will override any flag set on the individual service account
 func (s *serviceAccount) enforceMountableSecrets(serviceAccount *api.ServiceAccount) bool {