security: disable service account token mount on workspace pods

Workspace pods have no reason to talk to the K8s API. Setting
automount_service_account_token = false removes the token from the
pod, eliminating attack surface if a container is compromised.

Author: noeljackson

modules/kubernetes-workspace/main.tf

@@ -106,6 +106,9 @@ resource "kubernetes_pod_v1" "workspace" {
     # Sysbox runtime for Docker-in-Docker support
     runtime_class_name = var.runtime_class_name
 
+    # Workspace pods have no reason to talk to the K8s API
+    automount_service_account_token = false
+
     # Image pull secrets for private registries
     dynamic "image_pull_secrets" {
       for_each = var.image_pull_secrets